From 741ff2a263fe0ddc343288331c0047c1a32af8b2 Mon Sep 17 00:00:00 2001 From: Jakub Jelinek Date: Tue, 17 Mar 2020 10:43:46 +0100 Subject: [PATCH] strlen: Punt on UB reads past end of string literal [PR94187] The gcc.dg/pr68785.c test which contains: int foo (void) { return *(int *) ""; } has UB in the program if it is ever called, but causes UB in the compiler as well as at least in theory non-reproduceable code generation. The problem is that nbytes is in this case 4, prep is the TREE_STRING_POINTER of a "" string literal with TREE_STRING_LENGTH of 1 and we do: 4890 for (const char *p = prep; p != prep + nbytes; ++p) 4891 if (*p) 4892 { 4893 *allnul = false; 4894 break; 4895 } and so read the bytes after the STRING_CST payload, which can be random. I think we should just punt in this case. 2020-03-17 Jakub Jelinek PR tree-optimization/94187 * tree-ssa-strlen.c (count_nonzero_bytes): Punt if nchars - offset < nbytes. --- gcc/ChangeLog | 4 ++++ gcc/tree-ssa-strlen.c | 2 ++ 2 files changed, 6 insertions(+) diff --git a/gcc/ChangeLog b/gcc/ChangeLog index fc35ceac272..f8105ccc67d 100644 --- a/gcc/ChangeLog +++ b/gcc/ChangeLog @@ -1,5 +1,9 @@ 2020-03-17 Jakub Jelinek + PR tree-optimization/94187 + * tree-ssa-strlen.c (count_nonzero_bytes): Punt if + nchars - offset < nbytes. + PR middle-end/94189 * builtins.c (expand_builtin_strnlen): Do return NULL_RTX if we would emit a warning if it was enabled and don't depend on TREE_NO_WARNING diff --git a/gcc/tree-ssa-strlen.c b/gcc/tree-ssa-strlen.c index 0d70f3cc95d..ec33d7c4baf 100644 --- a/gcc/tree-ssa-strlen.c +++ b/gcc/tree-ssa-strlen.c @@ -4822,6 +4822,8 @@ count_nonzero_bytes (tree exp, unsigned HOST_WIDE_INT offset, of the access), set it here to the size of the string, including all internal and trailing nuls if the string has any. */ nbytes = nchars - offset; + else if (nchars - offset < nbytes) + return false; prep = TREE_STRING_POINTER (exp) + offset; } -- 2.30.2