public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug c++/60792] New: bogus buffer overflow warning and abort on static flexible array member in a child object
@ 2014-04-09 10:21 abalint21 at gmail dot com
2014-04-09 11:24 ` [Bug c++/60792] bogus buffer overflow warning and abort on " jakub at gcc dot gnu.org
2014-04-09 14:04 ` abalint21 at gmail dot com
0 siblings, 2 replies; 3+ messages in thread
From: abalint21 at gmail dot com @ 2014-04-09 10:21 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60792
Bug ID: 60792
Summary: bogus buffer overflow warning and abort on static
flexible array member in a child object
Product: gcc
Version: 4.8.2
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: abalint21 at gmail dot com
g++ emits a bogus warning on the program below which then aborts at runtime.
The strange thing is that if I get the reference of the child object and then
get the address of the str field then everything is OK. It seems that g++
cannot handle the inner child object's str if it is accessed via
parent->child.str but it is ok when a reference is taken from the child and
then accessed via child.str.
$ cat main.cpp && g++ -D_FORTIFY_SOURCE=2 -O2 main.cpp && ./a.out
#include <cstdlib>
#include <cstring>
#include <iostream>
struct Parent
{
struct Child
{
int a;
char b;
char str[0]; ///< ASCIIZ
} child;
};
//#define DONT_CRASH
int main(int argc, char** argv)
{
char* buffer = new char[32768];
Parent* parent = (Parent*) buffer;
parent->child.a = 1;
parent->child.b = 'a';
#ifdef DONT_CRASH
Parent::Child& child = parent->child;
char* childStr = child.str;
#else
char* childStr = parent->child.str;
#endif
std::cout << __USE_FORTIFY_LEVEL << std::endl;
std::cout << __bos(childStr) << std::endl;
size_t strLen = 4;
std::strncpy(childStr, "test", strLen);
if (childStr[strLen] not_eq '\0')
{
childStr[strLen] = '\0';
}
return 0;
}
In file included from /usr/include/string.h:640:0,
from /usr/include/c++/4.8.2/cstring:42,
from main.cpp:2:
In function ‘char* strncpy(char*, const char*, size_t)’,
inlined from ‘int main(int, char**)’ at main.cpp:38:43:
/usr/include/bits/string3.h:120:71: warning: call to char*
__builtin___strncpy_chk(char*, const char*, long unsigned int, long unsigned
int) will always overflow destination buffer [enabled by default]
return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
^
2
0
*** buffer overflow detected ***: ./a.out terminated
...
Aborted
>From gcc-bugs-return-448593-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org Wed Apr 09 10:28:11 2014
Return-Path: <gcc-bugs-return-448593-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Delivered-To: listarch-gcc-bugs@gcc.gnu.org
Received: (qmail 7985 invoked by alias); 9 Apr 2014 10:28:11 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Delivered-To: mailing list gcc-bugs@gcc.gnu.org
Received: (qmail 7947 invoked by uid 48); 9 Apr 2014 10:28:08 -0000
From: "gnugcc at marino dot st" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug ada/60730] 'Round of a fixed point type incorrectly truncates its operand instead of rounding it
Date: Wed, 09 Apr 2014 10:28:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: ada
X-Bugzilla-Version: 4.9.0
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: gnugcc at marino dot st
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: cc
Message-ID: <bug-60730-4-ktbfzUzq0U@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-60730-4@http.gcc.gnu.org/bugzilla/>
References: <bug-60730-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-04/txt/msg00613.txt.bz2
Content-length: 443
http://gcc.gnu.org/bugzilla/show_bug.cgi?id`730
John Marino <gnugcc at marino dot st> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |gnugcc at marino dot st
--- Comment #2 from John Marino <gnugcc at marino dot st> ---
what platform is this program being run on?
what is output of "uname -a" ?
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug c++/60792] bogus buffer overflow warning and abort on flexible array member in a child object
2014-04-09 10:21 [Bug c++/60792] New: bogus buffer overflow warning and abort on static flexible array member in a child object abalint21 at gmail dot com
@ 2014-04-09 11:24 ` jakub at gcc dot gnu.org
2014-04-09 14:04 ` abalint21 at gmail dot com
1 sibling, 0 replies; 3+ messages in thread
From: jakub at gcc dot gnu.org @ 2014-04-09 11:24 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60792
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jakub at gcc dot gnu.org
--- Comment #1 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Zero length array inside of another string is not a flexible array member, nor
anything close to that, and with -D_FORTIFY_SOURCE=2 is not even supposed to be
handled like flexible array member alternative. Thus, I don't see why you
think this is a bug. Simply don't do it, use -D_FORTIFY_SOURCE=1 instead, or
use e.g. memcpy instead of strncpy which is allowed even in -D_FORTIFY_SOURCE=2
mode (which is stricter than what C/C++ allows) to cross field boundaries.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug c++/60792] bogus buffer overflow warning and abort on flexible array member in a child object
2014-04-09 10:21 [Bug c++/60792] New: bogus buffer overflow warning and abort on static flexible array member in a child object abalint21 at gmail dot com
2014-04-09 11:24 ` [Bug c++/60792] bogus buffer overflow warning and abort on " jakub at gcc dot gnu.org
@ 2014-04-09 14:04 ` abalint21 at gmail dot com
1 sibling, 0 replies; 3+ messages in thread
From: abalint21 at gmail dot com @ 2014-04-09 14:04 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60792
Attila Balint <abalint21 at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |INVALID
--- Comment #2 from Attila Balint <abalint21 at gmail dot com> ---
(In reply to Jakub Jelinek from comment #1)
> Zero length array inside of another string is not a flexible array member,
> nor anything close to that, and with -D_FORTIFY_SOURCE=2 is not even
> supposed to be handled like flexible array member alternative. Thus, I
> don't see why you think this is a bug. Simply don't do it, use
> -D_FORTIFY_SOURCE=1 instead, or use e.g. memcpy instead of strncpy which is
> allowed even in -D_FORTIFY_SOURCE=2 mode (which is stricter than what C/C++
> allows) to cross field boundaries.
Clear. Thank you for the clarification. It is not a bug
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-04-09 14:04 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-04-09 10:21 [Bug c++/60792] New: bogus buffer overflow warning and abort on static flexible array member in a child object abalint21 at gmail dot com
2014-04-09 11:24 ` [Bug c++/60792] bogus buffer overflow warning and abort on " jakub at gcc dot gnu.org
2014-04-09 14:04 ` abalint21 at gmail dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).