https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104969
Bug ID: 104969
Summary: Likely a false positive of -D_FORTIFY_SOURCE=3
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: tree-optimization
Assignee: unassigned at gcc dot gnu.org
Reporter: marxin at gcc dot gnu.org
CC: siddhesh at gcc dot gnu.org
Target Milestone: ---
It's isolated from sratom package:
$ cat sratom.c
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
int size = 3;
unsigned char data = 0xff;
int main()
{
unsigned len = size * 2 + 1;
char * str = __builtin_calloc(len, 1);
for (uint32_t i = 0; i < size; ++i) {
fprintf (stderr, "i=%i\n", i);
snprintf((char*)str + (2 * i), len, "%02X", data);
}
fprintf (stderr, "R=%s\n", str);
}
$ gcc sratom.c -O2 -D_FORTIFY_SOURCE=3 && ./a.out
i=0
i=1
*** buffer overflow detected ***: terminated
Aborted (core dumped)
$ clang sratom.c -O2 -D_FORTIFY_SOURCE=3 && ./a.out
i=0
i=1
*** buffer overflow detected ***: terminated
Aborted (core dumped)
$ gcc-11 sratom.c -g -O2 -fsanitize=address,undefined && ./a.out
i=0
i=1
i=2
R=FFFFFF
The original code is defective a bit as it wrongly assumes that
(char*)str + (2 * i) is at maximum 'len' big. It's actually len - (2 * i) big.
But it should be still valid code, am I right?
