[Bug d/111537] ICE: in set_cell_span, at text-art/table.cc:148 with D front-end and -fanalyzer

Fri, 13 Oct 2023 09:43:21 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111537

ibuclaw at gcc dot gnu.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ibuclaw at gcc dot gnu.org
           Assignee|dmalcolm at gcc dot gnu.org        |ibuclaw at gcc dot 
gnu.org
          Component|analyzer                    |d

--- Comment #10 from ibuclaw at gcc dot gnu.org ---
Nice, thanks for pointing me to specifically where analyzer was tripping over
David.

I think I can take over this PR from here.

---

oob.d: In function ‘D main’:
oob.d:5:11: warning: stack-based buffer overflow [CWE-121]
[-Wanalyzer-out-of-bounds]
    5 |     strcpy(arr.ptr, "hello world");
      |           ^
  ‘D main’: events 1-4
    |
    |    4 |     char[5] arr;
    |      |             ^
    |      |             |
    |      |             (1) capacity: 5 bytes
    |      |             (2) following ‘false’ branch...
    |      |             (3) ...to here
    |    5 |     strcpy(arr.ptr, "hello world");
    |      |           ~  
    |      |           |
    |      |           (4) out-of-bounds write from byte 5 till byte 11 but
‘arr’ ends at byte 5
    |
oob.d:5:11: note: write of 7 bytes to beyond the end of ‘arr’
    5 |     strcpy(arr.ptr, "hello world");
      |           ^
oob.d:5:11: note: valid subscripts for ‘arr’ are ‘[0]’ to ‘[4]’

  ┌─────┬─────┬─────┬─────┬───────┐┌─────┬─────┬─────┬────┬────┬────┬────┐
  │ [0] │ [1] │ [2] │ [3] │  [4]  ││ [5] │ [6] │ [7] │[8] │[9] │[10]│[11]│
  ├─────┼─────┼─────┼─────┼───────┤├─────┼─────┼─────┼────┼────┼────┼────┤
  │ ‘h’ │ ‘e’ │ ‘l’ │ ‘l’ │  ‘o’  ││ ‘ ’ │ ‘w’ │ ‘o’ │‘r’ │‘l’ │‘d’ │NUL │
  ├─────┴─────┴─────┴─────┴───────┴┴─────┴─────┴─────┴────┴────┴────┴────┤
  │               string literal (type: ‘const char[12]’)                │
  └──────────────────────────────────────────────────────────────────────┘
     │     │     │     │      │       │     │     │    │    │    │    │
     │     │     │     │      │       │     │     │    │    │    │    │
     v     v     v     v      v       v     v     v    v    v    v    v
  ┌─────┬─────────────────┬───────┐┌─────────────────────────────────────┐
  │ [0] │       ...       │  [4]  ││                                     │
  ├─────┴─────────────────┴───────┤│          after valid range          │
  │    ‘arr’ (type: ‘char[5]’)    ││                                     │
  └───────────────────────────────┘└─────────────────────────────────────┘
  ├───────────────┬───────────────┤├──────────────────┬──────────────────┤
                  │                                   │
         ╭────────┴────────╮              ╭───────────┴──────────╮
         │capacity: 5 bytes│              │⚠️  overflow of 7 bytes│
         ╰─────────────────╯              ╰──────────────────────╯

Reply via email to