BUG: Fix -Wstringop-truncation and replace fixed-width magic numbers#109
Merged
hjmjohnson merged 3 commits intoInsightSoftwareConsortium:mainfrom Apr 30, 2026
Merged
Conversation
GCC's -Wstringop-truncation flagged 6 calls in itkScancoImageIO.cxx where strncpy was invoked with a bound equal to the destination size. When the source string is at least as long as the destination, strncpy leaves the buffer without a NUL terminator, causing undefined behavior in subsequent C-string accessors (GetVersion, GetPatientName, etc.). The in-memory header buffers (m_Version[18], m_PatientName[42], m_CreationDate[32], m_ModificationDate[32], m_RescaleUnits[18], m_CalibrationData[66]) are explicitly sized two bytes wider than the on-disk fixed-width fields (16, 40, 8/decoded-32, 32, 16, 64) so that a NUL terminator always fits; itkISQHeaderIO.cxx:137 documents this with an explicit '\\0' write. Switch all six metadata-import sites and the five (six counting ModificationDate) public Set*() inline accessors to std::snprintf(dst, sizeof(dst), "%s", src), which always NUL-terminates and silently truncates oversized input. Add <cstdio> to both translation units.
The on-disk Scanco header has fixed-width text fields (16, 40, 64 bytes for Version/PatientName/CalibrationData and 16 for RescaleUnits; 8 bytes for the encoded VMS date) and the in-memory buffers are sized two bytes wider so a NUL terminator always fits. Until now those widths appeared as bare numeric literals throughout the read/write/manipulate paths, with the disk-vs-buffer distinction only implicit in pairings like 16/18, 40/42, 64/66. Introduce a ScancoHeaderField namespace in itkScancoDataManipulation.h holding constexpr widths for each field (DiskWidth + BufferSize pairs plus EncodedDateDiskWidth and DateStringBufferSize), and use them at all the read/write call sites in itkScancoImageIO, itkISQHeaderIO, itkAIMHeaderIO, and itkScancoDataManipulation. No semantic change.
hjmjohnson
merged commit ce10a8e
into
InsightSoftwareConsortium:main
15 of 16 checks passed
hjmjohnson
added a commit
that referenced
this pull request
Apr 30, 2026
Run clang-format 19.1.7 (matching the version pinned by ITK's .pre-commit-config.yaml and used by the ITKClangFormatLinterAction) over the files modified in PRs #109 (BUG/STYLE for Wstringop-truncation and the constexpr field-width refactor). The lint job on main (commit ce10a8e) failed because the snprintf replacements and the ScancoHeaderField constants pushed several multi-arg call sites past the column limit, which clang-format re-wraps differently than the manual formatting in the merged commit.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes 6 GCC
-Wstringop-truncationwarnings observed in Slicer CDash build 4206682 by switching the affectedstrncpycalls tostd::snprintf, then refactors the bare 16/18/40/42/64/66/8/32 literals into aScancoHeaderFieldconstexpr namespace.Root cause and reproduction
GCC 13/15
-Wstringop-truncationfires wheneverstrncpy(dst, src, N)is called withN == sizeof(dst): ifsrcis at leastNbytes the resulting buffer has no NUL terminator, and downstreamGet*()accessors that return the buffer as aconst char *C-string then read past the end. The in-memorym_HeaderData.m_*buffers are sized disk_width + 2 (e.g.m_Version[18]for the 16-byte ISQ field) specifically so a NUL terminator can fit;itkISQHeaderIO.cxx:137already documents this with an explicitm_Version[16] = '\0'aftermemcpy. Thestrncpy(dst, src.c_str(), sizeof(dst))pattern violated that invariant.Reproduced locally with
g++-15against~/src/ITK/build; all 6 warnings disappear with the snprintf replacement.Commits
BUG: Replace strncpy with snprintf to ensure NUL termination— 6 sites insrc/itkScancoImageIO.cxxplus 6 setter inlines ininclude/itkScancoImageIO.h(same bug, didn't trigger in the Slicer build only because those setters weren't instantiated).std::snprintf(dst, sizeof(dst), "%s", src)always NUL-terminates and silently truncates oversized input.STYLE: Replace fixed-width Scanco field magic numbers with constexpr— introduces aScancoHeaderFieldnamespace initkScancoDataManipulation.hwithinline constexpr std::size_tforVersionDiskWidth/BufferSize(16/18),PatientNameDiskWidth/BufferSize(40/42),RescaleUnitsDiskWidth/BufferSize(16/18),CalibrationDataDiskWidth/BufferSize(64/66),EncodedDateDiskWidth(8), andDateStringBufferSize(32). Updates 33 call sites acrossitkScancoDataManipulation.{h,cxx},itkISQHeaderIO.cxx, anditkAIMHeaderIO.cxx. No semantic change.Out of scope
strncpy(dst, src, src.length()+1)calls initkAIMHeaderIO.cxxuse a different pattern that doesn't trip-Wstringop-truncationbut has its own buffer-overrun risk if input exceeds the destination width. Worth a follow-up.strncmp/memcpyliteral-tag comparisons against"MultiHeader "/"Calibration "where the16is just thestrlenof the literal — replacing those with the constant adds no clarity.