1 /* PR middle-end/91582 - missing heap overflow detection for strcpy
2 
3    The -Warray-bounds instances here probably should be replaced by
4    -Wstringop-overflow when it detects these overflows (see also
5    the xfails in Wstringop-overflow-25.c).
6 
7    { dg-do compile }
8    { dg-options "-O2 -Wall -Wno-stringop-overflow -ftrack-macro-expansion=0" } */
9 
10 #include "range.h"
11 
12 #define INT_MAX     __INT_MAX__
13 #define INT_MIN     (-INT_MAX - 1)
14 
15 #define ATTR(...)   __attribute__ ((__VA_ARGS__))
16 #define NOIPA       ATTR (noipa)
17 
18 extern void* malloc (size_t);
19 extern char* strcpy (char*, const char*);
20 
21 void sink (void*);
22 
23 #define S36 "0123456789abcdefghijklmnopqrstuvwxyz"
24 #define S(N) (S36 + sizeof S36 - N - 1)
25 
26 struct Flex
27 {
28   char n, ax[];
29 };
30 
31 extern struct Flex fx;
32 struct Flex f1 = { 1, { 1 } };
33 struct Flex f2 = { 2, { 1, 2 } };
34 struct Flex f3 = { 3, { 1, 2, 3 } };
35 
36 #define T(src, f) do {				\
37     char *s = src;				\
38     char *d = f.ax;				\
39     strcpy (d, s);				\
40     sink (&f);					\
41   } while (0)
42 
test_strcpy_flexarray(void)43 NOIPA void test_strcpy_flexarray (void)
44 {
45   T (S (0), fx);                // { dg-bogus "\\\[-Warray-bounds" "pr92815" }
46   T (S (9), fx);                // { dg-bogus "\\\[-Warray-bounds" "pr92815" }
47 
48   T (S (0), f1);
49   T (S (1), f1);                // { dg-warning "\\\[-Warray-bounds" }
50 
51   T (S (0), f2);
52   T (S (1), f2);
53   T (S (2), f2);                // { dg-warning "\\\[-Warray-bounds" }
54 
55   T (S (0), f3);
56   T (S (2), f3);
57   T (S (3), f3);                // { dg-warning "\\\[-Warray-bounds" }
58   T (S (9), f3);                // { dg-warning "\\\[-Warray-bounds" }
59 }
60 
61 #undef T
62 #define T(T, src, n) do {			\
63     char *s = src;				\
64     typedef struct { T n, ax[]; } Flex;		\
65     Flex *p = (Flex*)malloc (sizeof *p + n);	\
66     char *d = (char*)p->ax;			\
67     strcpy (d, s);				\
68     sink (p);					\
69   } while (0)
70 
test_strcpy_malloc_flexarray(void)71 NOIPA void test_strcpy_malloc_flexarray (void)
72 {
73   size_t r_0_1 = UR (0, 1);
74 
75   T (char, S (0), r_0_1);
76   T (char, S (1), r_0_1);       // { dg-warning "\\\[-Warray-bounds" }
77 
78   size_t r_1_2 = UR (1, 2);
79 
80   T (char, S (0), r_1_2);
81   T (char, S (1), r_1_2);
82   T (char, S (2), r_1_2);       // { dg-warning "\\\[-Warray-bounds" }
83 
84   size_t r_2_3 = UR (2, 3);
85 
86   T (char, S (0), r_2_3);
87   T (char, S (2), r_2_3);
88   T (char, S (3), r_2_3);       // { dg-warning "\\\[-Warray-bounds" }
89   T (char, S (9), r_2_3);       // { dg-warning "\\\[-Warray-bounds" }
90 }
91