https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109444
Bug ID: 109444
Summary: Possible array overflow without diagnosis in memcpy if
called within a virtual method scenario
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: mohamed.selim at dxc dot com
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at
gcc dot gnu.org
Target Milestone: ---
It's possible to overflow the destination array size in std::memcpy, this
behavior doesn't trigger the expected sanitizer diagnosis when using memcpy in
a virtual method scenario (scenario 1).
While in (scenario 2) when the std::memcpy is called from a normal method, the
overflow is diagnosed as expected.
#include <iostream>
#include <array>
#include <cstring>
// zero terminated 8 characters string literal
const char txt[] = "1234567";
class Bar
{
public:
constexpr Bar() : dst{}
{
}
std::int8_t dst[6];
};
void test(Bar& b)
{
std::cout << "staring memcpy.\n";
std::cout << "size of bytes to be copied: " << sizeof(txt) <<"\n";
std::cout << "dst array size: " << sizeof(b.dst) << "\n";
std::memcpy(b.dst, txt, sizeof(txt));
}
class Base
{
public:
virtual ~Base() = default;
virtual void func() = 0;
};
// 1 - Foo inherits Base, virtual method implementation
class Foo: public Base
{
public:
void func() override
{
test(b);
}
private:
Bar b{};
};
// 2 - no inheritance
class Foo2
{
public:
void func()
{
test(b);
}
private:
Bar b{};
};
//-std=c++14 -fsanitize=address -fsanitize=undefined -static-libasan
-static-libubsan
int main()
{
Foo c{}; // scenario 1, no sanitizer diagnosis
//Foo2 c{}; // scenario 2, triggers sanitizer diagnosis
c.func();
return 0;
}
