Index: include/clang/Basic/DiagnosticSemaKinds.td
===================================================================
--- include/clang/Basic/DiagnosticSemaKinds.td	(revision 204466)
+++ include/clang/Basic/DiagnosticSemaKinds.td	(working copy)
@@ -6256,6 +6256,9 @@
 def warn_scanf_nonzero_width : Warning<
   "zero field width in scanf format string is unused">,
   InGroup<Format>;
+def warn_scanf_no_string_width : Warning<
+  "no field width in scanf string format specifier (potentially insecure)">,
+  InGroup<FormatSecurity>, DefaultIgnore;
 def warn_printf_conversion_argument_type_mismatch : Warning<
   "format specifies type %0 but the argument has type %1">,
   InGroup<Format>;
Index: lib/Sema/SemaChecking.cpp
===================================================================
--- lib/Sema/SemaChecking.cpp	(revision 204466)
+++ lib/Sema/SemaChecking.cpp	(working copy)
@@ -3462,7 +3462,7 @@
     }
   }
   
-  // Check if the field with is non-zero.
+  // Check field width.
   const OptionalAmount &Amt = FS.getFieldWidth();
   if (Amt.getHowSpecified() == OptionalAmount::Constant) {
     if (Amt.getConstantAmount() == 0) {
@@ -3473,6 +3473,13 @@
                            /*IsStringLocation*/true, R,
                            FixItHint::CreateRemoval(R));
     }
+  } else {
+    // If no field width was specified.
+    if (CS.getKind() == ConversionSpecifier::sArg)
+      EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_no_string_width),
+                           getLocationOfByte(startSpecifier),
+                           /*IsStringLocation*/true,
+                           getSpecifierRange(startSpecifier, specifierLen));
   }
   
   if (!FS.consumesDataArgument()) {
Index: test/Sema/format-strings-fixit.c
===================================================================
--- test/Sema/format-strings-fixit.c	(revision 204466)
+++ test/Sema/format-strings-fixit.c	(working copy)
@@ -121,7 +121,10 @@
 
   // Some string types.
   scanf("%lf", str);
+#pragma clang diagnostic push // Don't warn about security problems.
+#pragma clang diagnostic ignored "-Wformat-security"
   scanf("%lf", vstr);
+#pragma clang diagnostic pop
   scanf("%ls", str);
   scanf("%ls", str);
 
Index: test/Sema/format-strings-scanf.c
===================================================================
--- test/Sema/format-strings-scanf.c	(revision 204466)
+++ test/Sema/format-strings-scanf.c	(working copy)
@@ -18,7 +18,10 @@
 int vsscanf(const char * restrict, const char * restrict, va_list);
 
 void test(const char *s, int *i) {
+  char str[50];
+
   scanf(s, i); // expected-warning{{ormat string is not a string literal}}
+  scanf("%s", str); // expected-warning{{no field width in scanf string format specifier (potentially insecure)}}
   scanf("%0d", i); // expected-warning{{zero field width in scanf format string is unused}}
   scanf("%00d", i); // expected-warning{{zero field width in scanf format string is unused}}
   scanf("%d%[asdfasdfd", i, s); // expected-warning{{no closing ']' for '%[' in scanf format string}}