https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91582
Bug ID: 91582
Summary: missing hrap overflow detection for strcpy
Product: gcc
Version: 9.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
Both functions below overflow the destination buffer by a single byte yet
neither is detected.
$ cat x.c && gcc -D_FORTIFY_SOURCE=2 -O2 -S -Wall
-fdump-tree-optimized=/dev/stdout x.c
#include <stdlib.h>
#include <string.h>
void* f (void)
{
const char a[] = "1234";
char *t = (char*)malloc (strlen (a));
strcpy (t, a);
return t;
}
void* g (const char *s)
{
char *t = (char*)malloc (strlen (s));
strcpy (t, s);
return t;
}
;; Function f (f, funcdef_no=27, decl_uid=2854, cgraph_uid=28, symbol_order=27)
f ()
{
char * t;
const char a[5];
<bb 2> [local count: 1073741824]:
a = "1234";
t_5 = malloc (4);
MEM <unsigned char[5]> [(char * {ref-all})t_5] = MEM <unsigned char[5]>
[(char * {ref-all})&a];
a ={v} {CLOBBER};
return t_5;
}
;; Function g (g, funcdef_no=28, decl_uid=2859, cgraph_uid=29, symbol_order=28)
g (const char * s)
{
char * t;
long unsigned int _1;
long unsigned int _6;
<bb 2> [local count: 1073741824]:
_1 = strlen (s_3(D));
t_5 = malloc (_1);
_6 = _1 + 1;
__builtin_memcpy (t_5, s_3(D), _6);
return t_5;
}
