https://bugs.llvm.org/show_bug.cgi?id=36380
Bug ID: 36380
Summary: No sanity checking of array size with width specifier
?
Product: new-bugs
Version: 5.0
Hardware: PC
OS: Linux
Status: NEW
Severity: enhancement
Priority: P
Component: new bugs
Assignee: unassignedb...@nondot.org
Reporter: dcb...@hotmail.com
CC: llvm-bugs@lists.llvm.org
Given the following code:
# include <stdio.h>
extern void g( FILE * fp);
void f( FILE * fp)
{
char buf[ 10];
while (fscanf( fp, "%10s", buf))
;
while (fscanf( fp, "%5s", buf))
;
while (fscanf( fp, "%20s", buf))
;
g( fp);
}
then clang doesn't seem to sanity check the size in the % specifier
against the buffer size. Please note that %10s isn't the correct size.
That's a well known off by one error.
Here is static analyser cppcheck doing something suitable:
[sep9a.cc:13]: (error) Width 10 given in format string (no. 1) is larger than
destination buffer 'buf[10]', use %9s to prevent overflowing it.
[sep9a.cc:17]: (error) Width 20 given in format string (no. 1) is larger than
destination buffer 'buf[10]', use %9s to prevent overflowing it.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs