https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97373
Bug ID: 97373
Summary: missing warning on sprintf into allocated destination
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
-Wformat-overflow doesn't detect buffer overflow in sprintf call writing to
allocated objects with non-constant sizes. The problem is that the warning
calls compute_builtin_object_size() instead of compute_objsize().
$ cat q.c && gcc -O2 -S -Wall q.c
void* f (int n)
{
if (n < 5 || 7 < n)
n = 5;
char *p = __builtin_malloc (n);
__builtin_strcpy (p, "1234567"); // warning (good)
return p;
}
void* g (int n)
{
if (n < 5 || 7 < n)
n = 5;
char *p = __builtin_malloc (n);
__builtin_sprintf (p, "%i", 1234567); // missing warning
return p;
}
q.c: In function ‘f’:
q.c:7:3: warning: ‘__builtin_memcpy’ writing 8 bytes into a region of size
between 5 and 7 [-Wstringop-overflow=]
7 | __builtin_strcpy (p, "1234567"); // warning (good)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
q.c:6:13: note: at offset 0 to an object with size between 5 and 7 allocated by
‘__builtin_malloc’ here
6 | char *p = __builtin_malloc (n);
| ^~~~~~~~~~~~~~~~~~~~
