https://bugs.exim.org/show_bug.cgi?id=2037
Bug ID: 2037
Summary: A GCC 7 warning about possible buffer overflow in
pcregrep when formatting an error message
Product: PCRE
Version: 8.40
Hardware: x86
URL: https://kojipkgs.fedoraproject.org//packages/pcre/8.40
/1.fc26.2/data/logs/x86_64/build.log
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: Code
Assignee: ph10@???
Reporter: ppisar@???
CC: pcre-dev@???
Created attachment 974
-->
https://bugs.exim.org/attachment.cgi?id=974&action=edit
Proposed fix
GCC 7 has new class of warnings that checks if a buffer supplied to sprintf()
is large enough for formatting any arguments
<
https://gcc.gnu.org/gcc-7/changes.html>. It cough this issue in pcre-8.40:
pcregrep.c: In function 'main':
pcregrep.c:3183:68: warning: '%d' directive writing between 1 and 10 bytes into
a region of size 8 [-Wformat-overflow=]
if (patterns->next == NULL) s[0] = 0; else sprintf(s, " number %d", j);
^~
pcregrep.c:3183:59: note: directive argument in the range [1, 2147483647]
if (patterns->next == NULL) s[0] = 0; else sprintf(s, " number %d", j);
^~~~~~~~~~~~
In file included from /usr/include/stdio.h:939:0,
from pcregrep.c:52:
/usr/include/bits/stdio2.h:33:10: note: '__builtin___sprintf_chk' output
between 10 and 19 bytes into a destination of size 16
return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Indeed the `s' array has only 16 bytes and with the maximal value of `j', one
needs 19 bytes.
There are multiple ways how to fix it. Either one can allocate big enough
buffer (but this is not portable as some platforms can have larger ints), or
one can cast the `j' argument to shorter type if knows what what range of
values it will posses, or, as I chose, get rid of the offending sprintf() call.
See the attached patch.
--
You are receiving this mail because:
You are on the CC list for the bug.
