From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id BBEC2385703E; Wed, 14 Jul 2021 18:56:50 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org BBEC2385703E
From: "pinskia at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug c/101453] ICE on compilable code: *** buffer overflow detected
 ***: terminated
Date: Wed, 14 Jul 2021 18:56:50 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: c
X-Bugzilla-Version: 12.0
X-Bugzilla-Keywords: ice-on-invalid-code
X-Bugzilla-Severity: normal
X-Bugzilla-Who: pinskia at gcc dot gnu.org
X-Bugzilla-Status: ASSIGNED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: pinskia at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: cf_reconfirmed_on assigned_to keywords bug_status
 everconfirmed
Message-ID: <bug-101453-4-ai6Tg5iCao@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-101453-4@http.gcc.gnu.org/bugzilla/>
References: <bug-101453-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jul 2021 18:56:50 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D101453

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2021-07-14
           Assignee|unassigned at gcc dot gnu.org      |pinskia at gcc dot =
gnu.org
           Keywords|                            |ice-on-invalid-code
             Status|UNCONFIRMED                 |ASSIGNED
     Ever confirmed|0                           |1

--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
This is a buffer overflow.

          char buffer[20];
          sprintf (buffer, "-O%ld", (long) TREE_INT_CST_LOW (value));
          vec_safe_push (optimize_args, ggc_strdup (buffer));

so a 64bit signed integer max takes 20 bytes.  Add in "-O", you are up to 22
bytes and then add the null, you are at 23 bytes.
So the fix is simple just increase buffer to be 23.


so maybe a better definition is:
char buffer[((int)((sizeof(long)*CHARBITS)/3.32))+1+3];
The magic 3.32 is log(10)/log(2) that is for every base 10 digit, it takes
~3.32 bits to represent.
The first +1 is a round up because the cast is truncating.  The +3 is for "=
-O"
part including the null character.=