From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id C4D91385701E; Tue, 13 Oct 2020 04:26:59 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C4D91385701E From: "sisyphus359 at gmail dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug c/89161] Bogus -Wformat-overflow warning with value range known Date: Tue, 13 Oct 2020 04:26:59 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: c X-Bugzilla-Version: 7.4.0 X-Bugzilla-Keywords: diagnostic X-Bugzilla-Severity: normal X-Bugzilla-Who: sisyphus359 at gmail dot com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Oct 2020 04:26:59 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D89161 sisyphus359 at gmail dot com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sisyphus359 at gmail dot c= om --- Comment #3 from sisyphus359 at gmail dot com --- Another demo of just how nasty this bug can be. (Apologies if this adds nothing to what has already been ascertained.) /********************************/ /* overflow.c * * Build with (eg): * * gcc -o overflow overflow.c -O2 -Wall */ #include void foo(double, unsigned int); int main(void) { double d =3D 5.1; unsigned int precis =3D 15; foo(d, precis);=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 } void foo(double dub, unsigned int prec) { char buf[127]; if( prec < sizeof(buf) && /** LINE 18 **/ sizeof(buf) - prec > 10 ){ sprintf (buf, "%.*g", prec, dub); /** LINE 21 **/ printf("%s\n", buf); } } /********************************/ The warning is: overflow.c:21:19: warning: '%.*g' directive writing between 1 and 133 bytes into a region of size 127 [-Wformat-overflow=3D] sprintf (buf, "%.*g", prec, dub); ^~~~ overflow.c:21:18: note: assuming directive output of 132 bytes sprintf (buf, "%.*g", prec, dub); ^~~~~~ overflow.c:21:4: note: 'sprintf' output between 2 and 134 bytes into a destination of size 127 sprintf (buf, "%.*g", prec, dub); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ and I'm seeing it on Ubuntu-20.04, gcc-9.3.0 and on Windows 7, gcc-8.3.0. That's the message as seen on Windows, and it's essentially the same as app= ears on Ubuntu except that Ubuntu appends some additional noise: In file included from /usr/include/stdio.h:867, from overflow.c:4: /usr/include/x86_64-linux-gnu/bits/stdio2.h:36:10: note: =E2=80=98__builtin___sprintf_chk=E2=80=99 output between 2 and 134 bytes in= to a destination of size 127 36 | return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 37 | __bos (__s), __fmt, __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A couple of things to note: 1) AFAICS, a buffer overflow cannot occur unless sizeof(buf) - prec wraps t= o a value greater than 10. That's why we check in advance that prec < sizeof(eb= uf) at line 18. 2) If I comment out the first condition (ie line 18) then no warning is iss= ued, even though the removal of that condition opens the door to buffer overflow occurring. Cheers, Rob=