https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109446
Bug ID: 109446
Summary: Possible destination array overflow without diagnosis
in memcpy
Product: gcc
Version: 8.4.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: mohamed.selim at dxc dot com
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at
gcc dot gnu.org
Target Milestone: ---
Possible overflow of destination array using std::memcpy, the behavior doesn't
trigger any diagnostic by the sanitizer in scenario I, while in scenario II the
behavior triggers the sanitizer diagnosis.
In the test the overflow is about 40 bytes, by overflow 24 bytes array with 64
bytes src string literals.
I've also tried to use alignas(64) to align class bar on 64 bytes i.e.
class alignas(64) Bar
{
...
};
But it didn't trigger the sanitizer diagnosis.
#include <iostream>
#include <array>
#include <cstring>
const char txt[] =
"123456789-123456789-123456789-123456789-123456789-123456789-123";
class Bar
{
public:
constexpr Bar() : m1{}, m2{}, m3{}, m4{}, dst{} {}
std::uint16_t m1;
std::uint16_t m2;
std::uint16_t m3;
std::uint16_t m4;
std::int8_t dst[24];
};
void test(Bar& b) // scenario II
//void test(Bar& b) // scenario II
{
std::cout << "staring memcpy.\n";
std::cout << "size of bytes to be copied: " << sizeof(txt) <<"\n";
std::cout << "dst array size: " << sizeof(b.dst) << "\n";
std::cout << "overflow size: " << sizeof(txt) - sizeof(b.dst) << "\n";
std::memcpy(b.dst, txt, sizeof(txt));
}
class client
{
public:
void func()
{
test(b);
}
private:
Bar b{};
};
//g++-8 -o vtest vmain.cpp -std=c++14 -fsanitize=address -fsanitize=undefined
-static-libasan -static-libubsan
int main()
{
client c{};
c.func();
std::cout << "size of Bar: " << sizeof(Bar) << "\n";
std::cout << "align of Bar: " << alignof(Bar) << "\n";
return 0;
}
