https://github.com/flovent updated https://github.com/llvm/llvm-project/pull/170496
>From 847a1565fb2cf2e9a0cd58711cb3374b8357f0d9 Mon Sep 17 00:00:00 2001 From: flovent <[email protected]> Date: Wed, 3 Dec 2025 23:30:05 +0800 Subject: [PATCH 1/2] [clang][BufferUsage] Fix crash when parsing invalid format string --- clang/lib/Analysis/UnsafeBufferUsage.cpp | 17 ++++++++++++----- .../warn-unsafe-buffer-usage-libc-functions.cpp | 5 +++++ 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/clang/lib/Analysis/UnsafeBufferUsage.cpp b/clang/lib/Analysis/UnsafeBufferUsage.cpp index da155d31d4a88..19c6618ee8024 100644 --- a/clang/lib/Analysis/UnsafeBufferUsage.cpp +++ b/clang/lib/Analysis/UnsafeBufferUsage.cpp @@ -832,6 +832,7 @@ static bool hasUnsafeFormatOrSArg(const CallExpr *Call, const Expr *&UnsafeArg, unsigned FmtArgIdx; const Expr *&UnsafeArg; ASTContext &Ctx; + bool UnsafeArgSet; // Returns an `Expr` representing the precision if specified, null // otherwise. @@ -872,7 +873,8 @@ static bool hasUnsafeFormatOrSArg(const CallExpr *Call, const Expr *&UnsafeArg, public: StringFormatStringHandler(const CallExpr *Call, unsigned FmtArgIdx, const Expr *&UnsafeArg, ASTContext &Ctx) - : Call(Call), FmtArgIdx(FmtArgIdx), UnsafeArg(UnsafeArg), Ctx(Ctx) {} + : Call(Call), FmtArgIdx(FmtArgIdx), UnsafeArg(UnsafeArg), Ctx(Ctx), + UnsafeArgSet(false) {} bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS, const char *startSpecifier, @@ -910,8 +912,11 @@ static bool hasUnsafeFormatOrSArg(const CallExpr *Call, const Expr *&UnsafeArg, return true; // Handle unsafe case: UnsafeArg = Call->getArg(ArgIdx); // output + UnsafeArgSet = true; return false; // returning false stops parsing immediately } + + bool isUnsafeArgSet() { return UnsafeArgSet; } }; const Expr *Fmt = Call->getArg(FmtArgIdx); @@ -922,15 +927,17 @@ static bool hasUnsafeFormatOrSArg(const CallExpr *Call, const Expr *&UnsafeArg, StringFormatStringHandler Handler(Call, FmtArgIdx, UnsafeArg, Ctx); return analyze_format_string::ParsePrintfString( - Handler, FmtStr.begin(), FmtStr.end(), Ctx.getLangOpts(), - Ctx.getTargetInfo(), isKprintf); + Handler, FmtStr.begin(), FmtStr.end(), Ctx.getLangOpts(), + Ctx.getTargetInfo(), isKprintf) && + Handler.isUnsafeArgSet(); } if (auto FmtStr = SL->tryEvaluateString(Ctx)) { StringFormatStringHandler Handler(Call, FmtArgIdx, UnsafeArg, Ctx); return analyze_format_string::ParsePrintfString( - Handler, FmtStr->data(), FmtStr->data() + FmtStr->size(), - Ctx.getLangOpts(), Ctx.getTargetInfo(), isKprintf); + Handler, FmtStr->data(), FmtStr->data() + FmtStr->size(), + Ctx.getLangOpts(), Ctx.getTargetInfo(), isKprintf) && + Handler.isUnsafeArgSet(); } } // If format is not a string literal, we cannot analyze the format string. diff --git a/clang/test/SemaCXX/warn-unsafe-buffer-usage-libc-functions.cpp b/clang/test/SemaCXX/warn-unsafe-buffer-usage-libc-functions.cpp index 765dcbcc07df5..38cec5bdf50ce 100644 --- a/clang/test/SemaCXX/warn-unsafe-buffer-usage-libc-functions.cpp +++ b/clang/test/SemaCXX/warn-unsafe-buffer-usage-libc-functions.cpp @@ -248,3 +248,8 @@ void test(StrBuff& str) LibC.strcpy(buff); LibC.memcpy(buff, buff, 64); } + +void dontCrashForInvalidFormatString() { + snprintf((char*)0, 0, "%"); + snprintf((char*)0, 0, "\0"); +} >From 1d6835f2c7f9dbcb544afbe55f32db3db1da452c Mon Sep 17 00:00:00 2001 From: flovent <[email protected]> Date: Fri, 12 Dec 2025 20:47:30 +0800 Subject: [PATCH 2/2] [NFC] Add entry in release notes --- clang/docs/ReleaseNotes.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/clang/docs/ReleaseNotes.rst b/clang/docs/ReleaseNotes.rst index 22ca79d6adc28..ff27cc481b8ea 100644 --- a/clang/docs/ReleaseNotes.rst +++ b/clang/docs/ReleaseNotes.rst @@ -528,6 +528,7 @@ Bug Fixes in This Version - Fixed false-positive shadow diagnostics for lambdas in explicit object member functions. (#GH163731) - Fix an assertion failure when a ``target_clones`` attribute is only on the forward declaration of a multiversioned function. (#GH165517) (#GH129483) +- Fix a crash caused by invalid format string in printf-like functions with ``-Wunsafe-buffer-usage-in-libc-call`` option enabled. (#GH170496) Bug Fixes to Compiler Builtins ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ _______________________________________________ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
