https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92828
Bug ID: 92828
Summary: array out of bounds access in libcpp/mkdeps.c
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: bootstrap
Assignee: unassigned at gcc dot gnu.org
Reporter: krebbel at gcc dot gnu.org
Target Milestone: ---
/* If T begins with any of the partial pathnames listed in d->vpathv,
then advance T to point beyond that pathname. */
static const char *
apply_vpath (class mkdeps *d, const char *t)
{
if (unsigned len = d->vpath.size ())
for (unsigned i = len; i--;)
{
if (!filename_ncmp (d->vpath[i].str, t, d->vpath[i].len))
{
const char *p = t + d->vpath[i].len;
if (!IS_DIR_SEPARATOR (*p))
goto not_this_one;
/* Do not simplify $(vpath)/../whatever. ??? Might not
be necessary. */
if (p[1] == '.' && p[2] == '.' && IS_DIR_SEPARATOR (p[3]))
goto not_this_one;
...
The last check causes
error: array subscript 2 is outside array bounds of ‘const char [2]’
if apply_vpath gets inlined into deps_add_target and deps_add_target gets
inlined into:
void
deps_add_default_target (class mkdeps *d, const char *tgt)
{
/* Only if we have no targets. */
if (d->targets.size ())
return;
if (tgt[0] == '\0')
{
__builtin_trap ();
deps_add_target (d, "-", 1);
}
...
This unfortunately triggers a bootstrap fail on IBM Z when using
--with-arch=z13 at configure time. For z13 we bump the inlining threshold so
that the inlining described above actually happens.
The right fix appears to be passing the length of the buffer along with the
buffer itself. Alternatively it might also be ok to just remove the check as
the comment above it suggests.
