bug#57211: 29.0.50; generate-new-buffer-name sprintf format overflow warning

bug#57211: 29.0.50; generate-new-buffer-name sprintf format overflow warning

[Basil L. Contovounesios via Bug reports for GNU Emacs, the Swiss army knife of text editors]

Severity: minor

Compiling with gcc (Debian 12.1.0-7) 12.1.0 and -Og, I get the following
-Wformat-overflow warning:

In file included from buffer.c:33:
buffer.c: In function ‘Fgenerate_new_buffer_name’:
buffer.c:1167:46: warning: ‘sprintf’ may write a terminating nul past the end of the destination [-Wformat-overflow=]
 1167 |       AUTO_STRING_WITH_LEN (lnumber, number, sprintf (number, "-%d", i));
      |                                              ^~~~~~~~~~~~~~~~~~~~~~~~~~
lisp.h:5493:36: note: in definition of macro ‘AUTO_STRING_WITH_LEN’
 5493 |         ((&(struct Lisp_String) {{{len, -1, 0, (unsigned char *) (str)}}}), \
      |                                    ^~~
buffer.c:1167:46: note: ‘sprintf’ output between 3 and 9 bytes into a destination of size 8
 1167 |       AUTO_STRING_WITH_LEN (lnumber, number, sprintf (number, "-%d", i));
      |                                              ^~~~~~~~~~~~~~~~~~~~~~~~~~
lisp.h:5493:36: note: in definition of macro ‘AUTO_STRING_WITH_LEN’
 5493 |         ((&(struct Lisp_String) {{{len, -1, 0, (unsigned char *) (str)}}}), \
      |                                    ^~~

Can the upper bound 9 ever be achieved?  If so, how?  If not, is this a
GCC bug?  Either way, is there a way to pacify the warning?

I tried

  snprintf (number, sizeof number, ...)

but got the same warning.

BTW, in the preceding

  int i = r % 1000000;

can the result of % ever exceed INT_MAX?  And do we care either way?

Thanks,

-- 
Basil

In GNU Emacs 29.0.50 (build 1, x86_64-pc-linux-gnu, X toolkit, cairo version 1.16.0, Xaw3d scroll bars)
 of 2022-08-14 built on tia
Repository revision: 1d3fe256907d5e78a4acedd194e55db8ab952952
Repository branch: master
Windowing system distributor 'The X.Org Foundation', version 11.0.12101004
System Description: Debian GNU/Linux bookworm/sid

Configured using:
 'configure CC=gcc-12 'CFLAGS=-Og -ggdb3' --config-cache
 --prefix=/home/blc/.local --enable-checking=structs
 --with-file-notification=yes --with-x-toolkit=lucid --with-x'

Configured features:
ACL CAIRO DBUS FREETYPE GIF GLIB GMP GNUTLS GPM GSETTINGS HARFBUZZ JPEG
JSON LCMS2 LIBOTF LIBSELINUX LIBSYSTEMD LIBXML2 M17N_FLT MODULES NOTIFY
INOTIFY PDUMPER PNG RSVG SECCOMP SOUND SQLITE3 THREADS TIFF
TOOLKIT_SCROLL_BARS WEBP X11 XAW3D XDBE XIM XINPUT2 XPM LUCID ZLIB

Important settings:
  value of $LANG: en_IE.UTF-8
  value of $XMODIFIERS: @im=ibus
  locale-coding-system: utf-8-unix

bug#57211: 29.0.50; generate-new-buffer-name sprintf format overflow warning

[Matt Armstrong]

"Basil L. Contovounesios" via "Bug reports for GNU Emacs, the Swiss army
knife of text editors" <bug-gnu-emacs@gnu.org> writes:

> Severity: minor
>
> Compiling with gcc (Debian 12.1.0-7) 12.1.0 and -Og, I get the following
> -Wformat-overflow warning:
>
> In file included from buffer.c:33:
> buffer.c: In function ‘Fgenerate_new_buffer_name’:
> buffer.c:1167:46: warning: ‘sprintf’ may write a terminating nul past the end of the destination [-Wformat-overflow=]
>  1167 |       AUTO_STRING_WITH_LEN (lnumber, number, sprintf (number, "-%d", i));
>       |                                              ^~~~~~~~~~~~~~~~~~~~~~~~~~
> lisp.h:5493:36: note: in definition of macro ‘AUTO_STRING_WITH_LEN’
>  5493 |         ((&(struct Lisp_String) {{{len, -1, 0, (unsigned char *) (str)}}}), \
>       |                                    ^~~
> buffer.c:1167:46: note: ‘sprintf’ output between 3 and 9 bytes into a destination of size 8
>  1167 |       AUTO_STRING_WITH_LEN (lnumber, number, sprintf (number, "-%d", i));
>       |                                              ^~~~~~~~~~~~~~~~~~~~~~~~~~
> lisp.h:5493:36: note: in definition of macro ‘AUTO_STRING_WITH_LEN’
>  5493 |         ((&(struct Lisp_String) {{{len, -1, 0, (unsigned char *) (str)}}}), \
>       |                                    ^~~
>
> Can the upper bound 9 ever be achieved?  If so, how?  If not, is this a
> GCC bug?  Either way, is there a way to pacify the warning?
>
> I tried
>
>   snprintf (number, sizeof number, ...)
>
> but got the same warning.
>
> BTW, in the preceding
>
>   int i = r % 1000000;
>
> can the result of % ever exceed INT_MAX?  And do we care either way?

I assume that gcc is concerned about the possibility that i may be
-999999 and the resulting string "--999999" which would overflow the
buffer.

Gcc doesn't know that get_random() returns only non-negative numbers,
and the eassume() call doesn't seem to be enough to convince gcc this
fact, or gcc does not infer i is also non-negative.

Personally, I'd change this code to use a buffer

   INT_BUFSIZE_BOUND(int) + sizeof "-"

bytes large, like the just code below it.  In other words, make it large
enough for type of i, and avoid delicate inferences made about the range
of values stored in i.

The "wasted" bytes in the buffer are minor in comparison to the human
effort required to verify this code for security correctness.  :-)

bug#57211: 29.0.50; generate-new-buffer-name sprintf format overflow warning

[Paul Eggert]

[-- Attachment #1: Type: text/plain, Size: 1133 bytes --]

On 8/14/22 09:50, Basil L. Contovounesios wrote:

> Can the upper bound 9 ever be achieved?  If so, how?  If not, is this a
> GCC bug?  Either way, is there a way to pacify the warning?

It can't be achieved, and it's arguably a GCC bug. I installed the 
attached to pacify GCC.

>    int i = r % 1000000;
> 
> can the result of % ever exceed INT_MAX?

No.


On 8/14/22 11:59, Matt Armstrong wrote:

> Gcc doesn't know that get_random() returns only non-negative numbers,
> and the eassume() call doesn't seem to be enough to convince gcc this
> fact, or gcc does not infer i is also non-negative.

It's worse than that. Even if you add 'eassume (0 <= i && i < 1000000);" 
GCC still doesn't assume that the sprintf is in range.

> Personally, I'd change this code to use a buffer
> 
>    INT_BUFSIZE_BOUND(int) + sizeof "-"

The problem with overallocating buffers is not the memory loss (it's 
trivial, as you say), it's that later readers like me will wonder why 
the buffer is being overallocated, which is maintenance overhead.

I installed the attached to pacify GCC while also attempting to not 
entirely mystify later readers.

[-- Attachment #2: 0001-Work-around-Bug-57211.patch --]
[-- Type: text/x-patch, Size: 855 bytes --]

From 23561f9665609bcb4cbe89a993a70eeccbec600e Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Sun, 14 Aug 2022 13:48:11 -0700
Subject: [PATCH] Work around Bug#57211

* src/buffer.c (Fgenerate_new_buffer_name): Allocate a bigger buffer.
---
 src/buffer.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/buffer.c b/src/buffer.c
index 6ab516d5f5..98066a2eb6 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -1160,7 +1160,8 @@ DEFUN ("generate-new-buffer-name", Fgenerate_new_buffer_name,
     genbase = name;
   else
     {
-      char number[sizeof "-999999"];
+      enum { bug_52711 = true };  /* https://bugs.gnu.org/57211 */
+      char number[bug_52711 ? INT_BUFSIZE_BOUND (int) + 1 : sizeof "-999999"];
       EMACS_INT r = get_random ();
       eassume (0 <= r);
       int i = r % 1000000;
-- 
2.34.1