From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
	id BF84E385800C; Fri,  1 Sep 2023 09:56:11 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org BF84E385800C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1693562171;
	bh=vM68tj2ZpY+0Jdfd2/LXzNs7m5U3L0W2MsgKzMH2FJM=;
	h=From:To:Subject:Date:From;
	b=ZaKY/GwNlSHwRt/D4q9Rl7ESE0BwDtc1mj5I0nwIHB775VdHTr8gyhQzG/0SiGFqZ
	 B9HXoTf95MT9qEMHp02QkFRXBinPj5m14sc1n5xuxrY/o2svSupZtqyhPiao5knGK3
	 DbiiZH9VOM3tDqTqfC5UWMLKcpaekxsCV5yo3r84=
From: "vultkayn at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug analyzer/111266] New: Missing -Wanalyzer-out-of-bounds for
 concrete offset overwrite.
Date: Fri, 01 Sep 2023 09:56:08 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: analyzer
X-Bugzilla-Version: 14.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: vultkayn at gcc dot gnu.org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter target_milestone
Message-ID: <bug-111266-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <gcc-bugs.sourceware.org>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D111266

            Bug ID: 111266
           Summary: Missing -Wanalyzer-out-of-bounds for concrete offset
                    overwrite.
           Product: gcc
           Version: 14.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: vultkayn at gcc dot gnu.org
  Target Milestone: ---

Hi,

The analyzer do not emit the expected "heap-based write overflow" in the
reproducer below.

#include <stdint.h>
void *malloc (__SIZE_TYPE__);
void free (void *);

void test_binop2 ()
{
  char *p =3D (char *) malloc (4);
  int32_t *i =3D (int32_t *) (p + 3);
  *i =3D 20042; /* { dg-warning "heap-based buffer overflow" "" { xfail *-*=
-* } }
*/
  free (p);
}


A quick investigation showed that on *i =3D 20042, check_region_bounds had =
the
following:

reg is an offset_region(heap_allocated(12), 'int32_', 3) as expected
base_reg is heap_allocated(12)
base_reg's capacity is correct too, and reg_offset *is* 3 bytes, as it shou=
ld.

The issue comes from num_bytes_sval, which corresponds to the number of byt=
es
accessed. It should be a constant_svalue of value 4, but is instead of valu=
e 1.

Therefore the "read_bytes" byte_range do not overflow the buffer, as we get
(offset) 3 + (accessed bytes) 1 =3D 4, which is not an overflow (3 + 4 expe=
cted)=