<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-8859-1"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Hi folks,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>It’s easy to see how memcpy (and other mem* functions) can cause out-of-bounds reads/writes, such as in this simplified reproducer for a real case we’ve seen:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p style='margin:0in;margin-bottom:.0001pt'> #include <string.h><o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'> struct S {<o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'> int x;<o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'> int xx;<o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'> int y[];<o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'> };<o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'> char dst[100];<o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'> <o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'> int main(void) {<o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'> struct S src = {0};<o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'> src.x = 9999;<o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'> src.xx = 8888;<o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'> memcpy(dst, &src, sizeof(struct S) + 1);<o:p></o:p></p><p style='margin:0in;margin-bottom:.0001pt'> }<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Here, the size argument to memcpy is clearly just wrong. But consider that when FAMs are in play (as is hinted at here), designers can get confused and use the wrong size value – probably there are plenty of other circumstances where such coding errors are easy to make, and not easy to spot during review. At present, CFE can’t catch this during compilation (unless I’ve missed something). It can be caught by the static analysis check “alpha.unix.cstring.OutOfBounds” – but that’s rather late, rather costly, and rather noisy (which I’m sure is why it’s an alpha check and not a core check). This seems like something that could be caught and flagged by either a diagnostic or a tidy-check… Is that reasonable? If not, why not?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Regards,<o:p></o:p></p><p class=MsoNormal style='mso-line-height-alt:3.0pt'><span style='font-size:8.0pt;font-family:"Arial",sans-serif;color:#181818'><o:p> </o:p></span></p><p class=MsoNormal style='mso-line-height-alt:3.0pt'><a href="https://www.ericsson.com/" target="_blank"><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none'><img border=0 width=30 height=30 style='width:.3125in;height:.3125in' id="_x0000_i1026" src="https://mediabank.ericsson.net/internet-media/Email_logo_Ericsson.png"></span></a><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#181818'><o:p></o:p></span></p><p class=MsoNormal style='mso-line-height-alt:3.0pt'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#181818'> <o:p></o:p></span></p><p class=MsoNormal style='mso-line-height-alt:3.0pt'><b><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#181818'>Chris Hamilton</span></b><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#181818'> <o:p></o:p></span></p><p class=MsoNormal style='mso-line-height-alt:3.0pt'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#181818'>Compiler Developer<o:p></o:p></span></p><p class=MsoNormal style='mso-line-height-alt:3.0pt'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#181818'>BNEW DNEW 4G5G BI BBI 10<o:p></o:p></span></p><p class=MsoNormal style='mso-line-height-alt:3.0pt'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#181818'>Mobile: +1-512-955-0143<o:p></o:p></span></p><p class=MsoNormal style='mso-line-height-alt:3.0pt'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#181818'><a href="mailto:chris.hamilton@ericsson.com"><span style='color:blue'>chris.hamilton@ericsson.com</span></a><o:p></o:p></span></p><p class=MsoNormal style='mso-line-height-alt:3.0pt'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#181818'><o:p> </o:p></span></p><p class=MsoNormal style='mso-line-height-alt:3.0pt'><b><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#181818'>“Without inclusion, diversity is only a statistic.” </span></b><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#181818'> <i>-- Börje Ekholm, CEO of Ericsson<o:p></o:p></i></span></p><p class=MsoNormal style='mso-line-height-alt:3.0pt'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#181818'> <o:p></o:p></span></p><p class=MsoNormal style='mso-line-height-alt:3.0pt'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#181818'>Ericsson<o:p></o:p></span></p><p class=MsoNormal style='mso-line-height-alt:3.0pt'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#181818'>1703 W. 5th Street Suite 600<o:p></o:p></span></p><p class=MsoNormal style='mso-line-height-alt:3.0pt'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#181818'>78703,Austin, Texas<o:p></o:p></span></p><p class=MsoNormal style='mso-line-height-alt:3.0pt'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#181818'>United States<o:p></o:p></span></p><p class=MsoNormal style='mso-line-height-alt:3.0pt'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#181818'><a href="https://www.ericsson.com/" target="_blank"><span style='color:blue'>ericsson.com</span></a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Arial",sans-serif;color:#181818'> <o:p></o:p></span></p><p class=MsoNormal><a href="https://www.ericsson.com/current_campaign" target="_blank"><span style='font-size:8.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none'><img border=0 width=500 height=80 style='width:5.2083in;height:.8333in' id="_x0000_i1025" src="https://mediabank.ericsson.net/internet-media/Email_Message.gif"></span></a><span style='font-size:8.0pt;font-family:"Arial",sans-serif;color:#181818'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Arial",sans-serif;color:#181818'> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Arial",sans-serif;color:#181818'>Our commitment to <a href="https://www.ericsson.com/thecompany/sustainability-corporateresponsibility" title="https://www.ericsson.com/thecompany/sustainability-corporateresponsibility"><span style='color:blue'>Technology for Good</span></a> and <a href="https://www.ericsson.com/thecompany/diversity-inclusion" title="https://www.ericsson.com/thecompany/diversity-inclusion"><span style='color:blue'>Diversity and Inclusion</span></a> contributes to positive change.<br>Follow us on: <a href="https://www.facebook.com/ericsson" title="https://www.facebook.com/ericsson"><span style='color:blue'>Facebook</span></a> <a href="https://www.linkedin.com/company/ericsson" title="https://www.linkedin.com/company/ericsson"><span style='color:blue'>LinkedIn</span></a> <a href="https://twitter.com/Ericsson" title="https://twitter.com/Ericsson"><span style='color:blue'>Twitter</span></a><br><br>Legal entity:</span><span style='font-size:8.0pt;font-family:"Arial",sans-serif;color:#333333'>ERICSSON AB</span><span style='font-size:8.0pt;font-family:"Arial",sans-serif;color:#181818'> registration number </span><span style='font-size:8.0pt;font-family:"Arial",sans-serif;color:#333333'>556056-6258</span><span style='font-size:8.0pt;font-family:"Arial",sans-serif;color:#181818'>, registered office in </span><span style='font-size:8.0pt;font-family:"Arial",sans-serif;color:#333333'>Stockholm</span><span style='font-size:8.0pt;font-family:"Arial",sans-serif;color:#181818'>.<br>This communication is confidential. Our email terms: <a href="https://www.ericsson.com/en/legal/privacy/email-disclaimer" title="https://www.ericsson.com/en/legal/privacy/email-disclaimer"><span style='color:blue'>www.ericsson.com/en/legal/privacy/email-disclaimer</span></a></span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>