diff mbox series

Plug possible snprintf overflow in lto-wrapper.

Message ID 20210930061630.1285483-1-aldyh@redhat.com
State New
Headers show
Series Plug possible snprintf overflow in lto-wrapper. | expand

Commit Message

Aldy Hernandez Sept. 30, 2021, 6:16 a.m. UTC 
My upcoming improvements to the DOM threader triggered a warning in
this code.  It looks like the format string is ".ltrans%u.ltrans", but
we're only writing a max of ".ltrans" + whatever the MAX_INT is here.

Tested on x86-64 Linux.

OK?

gcc/ChangeLog:

	* lto-wrapper.c (run_gcc): Plug snprintf overflow.
---
 gcc/lto-wrapper.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

Comments

Richard Biener Sept. 30, 2021, 7:44 a.m. UTC | #1 
On Thu, Sep 30, 2021 at 8:17 AM Aldy Hernandez via Gcc-patches
<gcc-patches@gcc.gnu.org> wrote:
>
> My upcoming improvements to the DOM threader triggered a warning in
> this code.  It looks like the format string is ".ltrans%u.ltrans", but
> we're only writing a max of ".ltrans" + whatever the MAX_INT is here.
>
> Tested on x86-64 Linux.
>
> OK?

OK.  Note that %u is max 127 by default (--param lto-partitions).

Richard.

> gcc/ChangeLog:
>
>         * lto-wrapper.c (run_gcc): Plug snprintf overflow.
> ---
>  gcc/lto-wrapper.c | 10 +++++++---
>  1 file changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/gcc/lto-wrapper.c b/gcc/lto-wrapper.c
> index 903c258a03a..7b9e4883f38 100644
> --- a/gcc/lto-wrapper.c
> +++ b/gcc/lto-wrapper.c
> @@ -1983,7 +1983,9 @@ cont:
>           output_name = XOBFINISH (&env_obstack, char *);
>
>           /* Adjust the dumpbase if the linker output file was seen.  */
> -         int dumpbase_len = (strlen (dumppfx) + sizeof (DUMPBASE_SUFFIX));
> +         int dumpbase_len = (strlen (dumppfx)
> +                             + sizeof (DUMPBASE_SUFFIX)
> +                             + sizeof (".ltrans"));
>           char *dumpbase = (char *) xmalloc (dumpbase_len + 1);
>           snprintf (dumpbase, dumpbase_len, "%sltrans%u.ltrans", dumppfx, i);
>           argv_ptr[0] = dumpbase;
> @@ -2009,9 +2011,11 @@ cont:
>             }
>           else
>             {
> -             char argsuffix[sizeof (DUMPBASE_SUFFIX) + 1];
> +             char argsuffix[sizeof (DUMPBASE_SUFFIX)
> +                            + sizeof (".ltrans_args") + 1];
>               if (save_temps)
> -               snprintf (argsuffix, sizeof (DUMPBASE_SUFFIX),
> +               snprintf (argsuffix,
> +                         sizeof (DUMPBASE_SUFFIX) + sizeof (".ltrans_args"),
>                           "ltrans%u.ltrans_args", i);
>               fork_execute (new_argv[0], CONST_CAST (char **, new_argv),
>                             true, save_temps ? argsuffix : NULL);
> --
> 2.31.1
>
diff mbox series

Patch

diff --git a/gcc/lto-wrapper.c b/gcc/lto-wrapper.c
index 903c258a03a..7b9e4883f38 100644
--- a/gcc/lto-wrapper.c
+++ b/gcc/lto-wrapper.c
@@ -1983,7 +1983,9 @@  cont:
 	  output_name = XOBFINISH (&env_obstack, char *);
 
 	  /* Adjust the dumpbase if the linker output file was seen.  */
-	  int dumpbase_len = (strlen (dumppfx) + sizeof (DUMPBASE_SUFFIX));
+	  int dumpbase_len = (strlen (dumppfx)
+			      + sizeof (DUMPBASE_SUFFIX)
+			      + sizeof (".ltrans"));
 	  char *dumpbase = (char *) xmalloc (dumpbase_len + 1);
 	  snprintf (dumpbase, dumpbase_len, "%sltrans%u.ltrans", dumppfx, i);
 	  argv_ptr[0] = dumpbase;
@@ -2009,9 +2011,11 @@  cont:
 	    }
 	  else
 	    {
-	      char argsuffix[sizeof (DUMPBASE_SUFFIX) + 1];
+	      char argsuffix[sizeof (DUMPBASE_SUFFIX)
+			     + sizeof (".ltrans_args") + 1];
 	      if (save_temps)
-		snprintf (argsuffix, sizeof (DUMPBASE_SUFFIX),
+		snprintf (argsuffix,
+			  sizeof (DUMPBASE_SUFFIX) + sizeof (".ltrans_args"),
 			  "ltrans%u.ltrans_args", i);
 	      fork_execute (new_argv[0], CONST_CAST (char **, new_argv),
 			    true, save_temps ? argsuffix : NULL);