[Bug middle-end/97373] New: missing warning on sprintf into allocated destination

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug middle-end/97373] New: missing warning on sprintf into allocated destination
@ 2020-10-11 23:07 msebor at gcc dot gnu.org
  2020-10-11 23:13 ` [Bug middle-end/97373] " msebor at gcc dot gnu.org
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: msebor at gcc dot gnu.org @ 2020-10-11 23:07 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97373

            Bug ID: 97373
           Summary: missing warning on sprintf into allocated destination
           Product: gcc
           Version: 11.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: middle-end
          Assignee: unassigned at gcc dot gnu.org
          Reporter: msebor at gcc dot gnu.org
  Target Milestone: ---

-Wformat-overflow doesn't detect buffer overflow in sprintf call writing to
allocated objects with non-constant sizes.  The problem is that the warning
calls compute_builtin_object_size() instead of compute_objsize().

$ cat q.c && gcc -O2 -S -Wall q.c
void* f (int n)
{
  if (n < 5 || 7 < n)
    n = 5;

  char *p = __builtin_malloc (n);
  __builtin_strcpy (p, "1234567");   // warning (good)
  return p;
}

void* g (int n)
{ 
  if (n < 5 || 7 < n)
    n = 5;

  char *p = __builtin_malloc (n);
  __builtin_sprintf (p, "%i", 1234567);   // missing warning
  return p;
}
q.c: In function ‘f’:
q.c:7:3: warning: ‘__builtin_memcpy’ writing 8 bytes into a region of size
between 5 and 7 [-Wstringop-overflow=]
    7 |   __builtin_strcpy (p, "1234567");   // warning (good)
      |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
q.c:6:13: note: at offset 0 to an object with size between 5 and 7 allocated by
‘__builtin_malloc’ here
    6 |   char *p = __builtin_malloc (n);
      |             ^~~~~~~~~~~~~~~~~~~~

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug middle-end/97373] missing warning on sprintf into allocated destination
  2020-10-11 23:07 [Bug middle-end/97373] New: missing warning on sprintf into allocated destination msebor at gcc dot gnu.org
@ 2020-10-11 23:13 ` msebor at gcc dot gnu.org
  2020-11-05  0:59 ` msebor at gcc dot gnu.org
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: msebor at gcc dot gnu.org @ 2020-10-11 23:13 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97373

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |85741
           Keywords|                            |diagnostic

--- Comment #1 from Martin Sebor <msebor at gcc dot gnu.org> ---
The simplest change to diagnose the overflow in comment #0 goes like this:

diff --git a/gcc/gimple-ssa-sprintf.c b/gcc/gimple-ssa-sprintf.c
index fff034fac4d..ed35eccebf3 100644
--- a/gcc/gimple-ssa-sprintf.c
+++ b/gcc/gimple-ssa-sprintf.c
@@ -4047,9 +4047,13 @@ get_destination_size (tree dest)
      use type-zero object size to determine the size of the enclosing
      object (the function fails without optimization in this type).  */
   int ost = optimize > 0;
-  unsigned HOST_WIDE_INT size;
-  if (compute_builtin_object_size (dest, ost, &size))
-    return size;
+  access_ref ref;
+  if (compute_objsize (dest, ost, &ref))
+    {
+      offset_int size = ref.size_remaining ();
+      if (wi::fits_uhwi_p (size))
+       return size.to_uhwi ();
+    }

   return HOST_WIDE_INT_MAX;
 }


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85741
[Bug 85741] [meta-bug] bogus/missing -Wformat-overflow

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug middle-end/97373] missing warning on sprintf into allocated destination
  2020-10-11 23:07 [Bug middle-end/97373] New: missing warning on sprintf into allocated destination msebor at gcc dot gnu.org
  2020-10-11 23:13 ` [Bug middle-end/97373] " msebor at gcc dot gnu.org
@ 2020-11-05  0:59 ` msebor at gcc dot gnu.org
  2020-12-01 20:41 ` cvs-commit at gcc dot gnu.org
  2020-12-01 20:58 ` msebor at gcc dot gnu.org
  3 siblings, 0 replies; 5+ messages in thread
From: msebor at gcc dot gnu.org @ 2020-11-05  0:59 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97373

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Ever confirmed|0                           |1
           Keywords|                            |patch
   Last reconfirmed|                            |2020-11-05
           Assignee|unassigned at gcc dot gnu.org      |msebor at gcc dot gnu.org
             Status|UNCONFIRMED                 |ASSIGNED

--- Comment #2 from Martin Sebor <msebor at gcc dot gnu.org> ---
Patch: https://gcc.gnu.org/pipermail/gcc-patches/2020-November/558127.html

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug middle-end/97373] missing warning on sprintf into allocated destination
  2020-10-11 23:07 [Bug middle-end/97373] New: missing warning on sprintf into allocated destination msebor at gcc dot gnu.org
  2020-10-11 23:13 ` [Bug middle-end/97373] " msebor at gcc dot gnu.org
  2020-11-05  0:59 ` msebor at gcc dot gnu.org
@ 2020-12-01 20:41 ` cvs-commit at gcc dot gnu.org
  2020-12-01 20:58 ` msebor at gcc dot gnu.org
  3 siblings, 0 replies; 5+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2020-12-01 20:41 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97373

--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Martin Sebor <msebor@gcc.gnu.org>:

https://gcc.gnu.org/g:d02c41dd414dcc65a08bc82f312f7808b5d90028

commit r11-5622-gd02c41dd414dcc65a08bc82f312f7808b5d90028
Author: Martin Sebor <msebor@redhat.com>
Date:   Tue Dec 1 13:38:08 2020 -0700

    PR middle-end/97373 - missing warning on sprintf into allocated destination

    gcc/ChangeLog:

            PR middle-end/97373
            * builtins.c (compute_objsize): Rename...
            (compute_objsize_r): to this.  Change order and types of arguments.
            Use new argument.  Adjust calls to self.
            (access_ref::get_ref): New member function.
            (pointer_query::pointer_query): New member function.
            (pointer_query::get_ref): Same.
            (pointer_query::put_ref): Same.
            (handle_min_max_size): Change order and types of arguments.
            (maybe_emit_free_warning): Add a test.
            * builtins.h (class pointer_query): New class.
            (compute_objsize): Declare an overload.
            * gimple-ssa-sprintf.c (get_destination_size): Add argument.
            (handle_printf_call): Change argument type.
            * tree-ssa-strlen.c (adjust_last_stmt): Add an argument and use it.
            (maybe_warn_overflow): Same.
            (handle_builtin_strcpy): Same.
            (maybe_diag_stxncpy_trunc): Same.
            (handle_builtin_memcpy): Change argument type.  Adjust calls.
            (handle_builtin_strcat): Same.
            (handle_builtin_memset): Same.
            (handle_store): Same.
            (strlen_check_and_optimize_call): Same.
            (check_and_optimize_stmt): Same.
            (strlen_dom_walker): Add new data members.
            (strlen_dom_walker::before_dom_children): Use new member.
            (printf_strlen_execute): Dump cache performance counters.  Remove
            objsize pass cleanup.
            * tree-ssa-strlen.h (maybe_diag_stxncpy_trunc): Add argument.
            (handle_printf_call): Change argument type.

    gcc/testsuite/ChangeLog:

            PR middle-end/97373
            * gcc.dg/tree-ssa/builtin-sprintf-warn-25.c: New test.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug middle-end/97373] missing warning on sprintf into allocated destination
  2020-10-11 23:07 [Bug middle-end/97373] New: missing warning on sprintf into allocated destination msebor at gcc dot gnu.org
                   ` (2 preceding siblings ...)
  2020-12-01 20:41 ` cvs-commit at gcc dot gnu.org
@ 2020-12-01 20:58 ` msebor at gcc dot gnu.org
  3 siblings, 0 replies; 5+ messages in thread
From: msebor at gcc dot gnu.org @ 2020-12-01 20:58 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97373

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED
   Target Milestone|---                         |11.0

--- Comment #4 from Martin Sebor <msebor at gcc dot gnu.org> ---
Done in r11-5622.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-12-01 20:58 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-11 23:07 [Bug middle-end/97373] New: missing warning on sprintf into allocated destination msebor at gcc dot gnu.org
2020-10-11 23:13 ` [Bug middle-end/97373] " msebor at gcc dot gnu.org
2020-11-05  0:59 ` msebor at gcc dot gnu.org
2020-12-01 20:41 ` cvs-commit at gcc dot gnu.org
2020-12-01 20:58 ` msebor at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).