From d8aeee11af715507e61464d390f14e4f4fde61b0 Mon Sep 17 00:00:00 2001 From: Jakub Jelinek Date: Mon, 21 Dec 2020 10:14:46 +0100 Subject: [PATCH] fold-const: Fix up a buffer overflow in native_encode_initializer [PR98407] For flexible array members we need to incrementally clear just from ptr + total_bytes up to new ptr + total_bytes, but memset has been called with the length from ptr, so was missing - total_bytes. Additionally, in this code off is guaranteed to be -1 and thus o 0, so don't bother pretending we could handle anything else, it would be more complicated than that. 2020-12-21 Jakub Jelinek PR tree-optimization/98407 * fold-const.c (native_encode_initializer): When handling flexible array members, fix up computation of length for memset. Also remove " - o" as o is always guaranteed to be 0 in this code path. * gcc.c-torture/compile/pr98407.c: New test. --- gcc/fold-const.c | 6 +++--- gcc/testsuite/gcc.c-torture/compile/pr98407.c | 10 ++++++++++ 2 files changed, 13 insertions(+), 3 deletions(-) create mode 100644 gcc/testsuite/gcc.c-torture/compile/pr98407.c diff --git a/gcc/fold-const.c b/gcc/fold-const.c index 1694ba4554b..3a0f39a85b8 100644 --- a/gcc/fold-const.c +++ b/gcc/fold-const.c @@ -8280,9 +8280,9 @@ native_encode_initializer (tree init, unsigned char *ptr, int len, return 0; if (pos + fieldsize > total_bytes) { - if (ptr != NULL && total_bytes - o < len) - memset (ptr + (total_bytes - o), - '\0', MIN (pos + fieldsize - o, len)); + if (ptr != NULL && total_bytes < len) + memset (ptr + total_bytes, '\0', + MIN (pos + fieldsize, len) - total_bytes); total_bytes = pos + fieldsize; } } diff --git a/gcc/testsuite/gcc.c-torture/compile/pr98407.c b/gcc/testsuite/gcc.c-torture/compile/pr98407.c new file mode 100644 index 00000000000..29eb0803944 --- /dev/null +++ b/gcc/testsuite/gcc.c-torture/compile/pr98407.c @@ -0,0 +1,10 @@ +/* PR tree-optimization/98407 */ + +struct S { int a; int b[]; }; +const struct S c = { 0, { 0 } }, d = { 0, { 0 } }; + +int +foo (void) +{ + return __builtin_memcmp (&c, &d, sizeof d); +} -- 2.30.2