public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug middle-end/97373] New: missing warning on sprintf into allocated destination
@ 2020-10-11 23:07 msebor at gcc dot gnu.org
2020-10-11 23:13 ` [Bug middle-end/97373] " msebor at gcc dot gnu.org
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: msebor at gcc dot gnu.org @ 2020-10-11 23:07 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97373
Bug ID: 97373
Summary: missing warning on sprintf into allocated destination
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
-Wformat-overflow doesn't detect buffer overflow in sprintf call writing to
allocated objects with non-constant sizes. The problem is that the warning
calls compute_builtin_object_size() instead of compute_objsize().
$ cat q.c && gcc -O2 -S -Wall q.c
void* f (int n)
{
if (n < 5 || 7 < n)
n = 5;
char *p = __builtin_malloc (n);
__builtin_strcpy (p, "1234567"); // warning (good)
return p;
}
void* g (int n)
{
if (n < 5 || 7 < n)
n = 5;
char *p = __builtin_malloc (n);
__builtin_sprintf (p, "%i", 1234567); // missing warning
return p;
}
q.c: In function ‘f’:
q.c:7:3: warning: ‘__builtin_memcpy’ writing 8 bytes into a region of size
between 5 and 7 [-Wstringop-overflow=]
7 | __builtin_strcpy (p, "1234567"); // warning (good)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
q.c:6:13: note: at offset 0 to an object with size between 5 and 7 allocated by
‘__builtin_malloc’ here
6 | char *p = __builtin_malloc (n);
| ^~~~~~~~~~~~~~~~~~~~
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug middle-end/97373] missing warning on sprintf into allocated destination
2020-10-11 23:07 [Bug middle-end/97373] New: missing warning on sprintf into allocated destination msebor at gcc dot gnu.org
@ 2020-10-11 23:13 ` msebor at gcc dot gnu.org
2020-11-05 0:59 ` msebor at gcc dot gnu.org
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: msebor at gcc dot gnu.org @ 2020-10-11 23:13 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97373
Martin Sebor <msebor at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |85741
Keywords| |diagnostic
--- Comment #1 from Martin Sebor <msebor at gcc dot gnu.org> ---
The simplest change to diagnose the overflow in comment #0 goes like this:
diff --git a/gcc/gimple-ssa-sprintf.c b/gcc/gimple-ssa-sprintf.c
index fff034fac4d..ed35eccebf3 100644
--- a/gcc/gimple-ssa-sprintf.c
+++ b/gcc/gimple-ssa-sprintf.c
@@ -4047,9 +4047,13 @@ get_destination_size (tree dest)
use type-zero object size to determine the size of the enclosing
object (the function fails without optimization in this type). */
int ost = optimize > 0;
- unsigned HOST_WIDE_INT size;
- if (compute_builtin_object_size (dest, ost, &size))
- return size;
+ access_ref ref;
+ if (compute_objsize (dest, ost, &ref))
+ {
+ offset_int size = ref.size_remaining ();
+ if (wi::fits_uhwi_p (size))
+ return size.to_uhwi ();
+ }
return HOST_WIDE_INT_MAX;
}
Referenced Bugs:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85741
[Bug 85741] [meta-bug] bogus/missing -Wformat-overflow
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug middle-end/97373] missing warning on sprintf into allocated destination
2020-10-11 23:07 [Bug middle-end/97373] New: missing warning on sprintf into allocated destination msebor at gcc dot gnu.org
2020-10-11 23:13 ` [Bug middle-end/97373] " msebor at gcc dot gnu.org
@ 2020-11-05 0:59 ` msebor at gcc dot gnu.org
2020-12-01 20:41 ` cvs-commit at gcc dot gnu.org
2020-12-01 20:58 ` msebor at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: msebor at gcc dot gnu.org @ 2020-11-05 0:59 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97373
Martin Sebor <msebor at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Ever confirmed|0 |1
Keywords| |patch
Last reconfirmed| |2020-11-05
Assignee|unassigned at gcc dot gnu.org |msebor at gcc dot gnu.org
Status|UNCONFIRMED |ASSIGNED
--- Comment #2 from Martin Sebor <msebor at gcc dot gnu.org> ---
Patch: https://gcc.gnu.org/pipermail/gcc-patches/2020-November/558127.html
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug middle-end/97373] missing warning on sprintf into allocated destination
2020-10-11 23:07 [Bug middle-end/97373] New: missing warning on sprintf into allocated destination msebor at gcc dot gnu.org
2020-10-11 23:13 ` [Bug middle-end/97373] " msebor at gcc dot gnu.org
2020-11-05 0:59 ` msebor at gcc dot gnu.org
@ 2020-12-01 20:41 ` cvs-commit at gcc dot gnu.org
2020-12-01 20:58 ` msebor at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2020-12-01 20:41 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97373
--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Martin Sebor <msebor@gcc.gnu.org>:
https://gcc.gnu.org/g:d02c41dd414dcc65a08bc82f312f7808b5d90028
commit r11-5622-gd02c41dd414dcc65a08bc82f312f7808b5d90028
Author: Martin Sebor <msebor@redhat.com>
Date: Tue Dec 1 13:38:08 2020 -0700
PR middle-end/97373 - missing warning on sprintf into allocated destination
gcc/ChangeLog:
PR middle-end/97373
* builtins.c (compute_objsize): Rename...
(compute_objsize_r): to this. Change order and types of arguments.
Use new argument. Adjust calls to self.
(access_ref::get_ref): New member function.
(pointer_query::pointer_query): New member function.
(pointer_query::get_ref): Same.
(pointer_query::put_ref): Same.
(handle_min_max_size): Change order and types of arguments.
(maybe_emit_free_warning): Add a test.
* builtins.h (class pointer_query): New class.
(compute_objsize): Declare an overload.
* gimple-ssa-sprintf.c (get_destination_size): Add argument.
(handle_printf_call): Change argument type.
* tree-ssa-strlen.c (adjust_last_stmt): Add an argument and use it.
(maybe_warn_overflow): Same.
(handle_builtin_strcpy): Same.
(maybe_diag_stxncpy_trunc): Same.
(handle_builtin_memcpy): Change argument type. Adjust calls.
(handle_builtin_strcat): Same.
(handle_builtin_memset): Same.
(handle_store): Same.
(strlen_check_and_optimize_call): Same.
(check_and_optimize_stmt): Same.
(strlen_dom_walker): Add new data members.
(strlen_dom_walker::before_dom_children): Use new member.
(printf_strlen_execute): Dump cache performance counters. Remove
objsize pass cleanup.
* tree-ssa-strlen.h (maybe_diag_stxncpy_trunc): Add argument.
(handle_printf_call): Change argument type.
gcc/testsuite/ChangeLog:
PR middle-end/97373
* gcc.dg/tree-ssa/builtin-sprintf-warn-25.c: New test.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug middle-end/97373] missing warning on sprintf into allocated destination
2020-10-11 23:07 [Bug middle-end/97373] New: missing warning on sprintf into allocated destination msebor at gcc dot gnu.org
` (2 preceding siblings ...)
2020-12-01 20:41 ` cvs-commit at gcc dot gnu.org
@ 2020-12-01 20:58 ` msebor at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: msebor at gcc dot gnu.org @ 2020-12-01 20:58 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97373
Martin Sebor <msebor at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
Target Milestone|--- |11.0
--- Comment #4 from Martin Sebor <msebor at gcc dot gnu.org> ---
Done in r11-5622.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-12-01 20:58 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-11 23:07 [Bug middle-end/97373] New: missing warning on sprintf into allocated destination msebor at gcc dot gnu.org
2020-10-11 23:13 ` [Bug middle-end/97373] " msebor at gcc dot gnu.org
2020-11-05 0:59 ` msebor at gcc dot gnu.org
2020-12-01 20:41 ` cvs-commit at gcc dot gnu.org
2020-12-01 20:58 ` msebor at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).