https://bugs.llvm.org/show_bug.cgi?id=36380

            Bug ID: 36380
           Summary: No sanity checking of array size with width specifier
                    ?
           Product: new-bugs
           Version: 5.0
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: new bugs
          Assignee: unassignedb...@nondot.org
          Reporter: dcb...@hotmail.com
                CC: llvm-bugs@lists.llvm.org

Given the following code:

# include <stdio.h>

extern void g( FILE * fp);

void f( FILE * fp)
{
        char buf[ 10];

        while (fscanf( fp, "%10s", buf))
                ;
        while (fscanf( fp, "%5s", buf))
                ;
        while (fscanf( fp, "%20s", buf))
                ;
        g( fp);
}

then clang doesn't seem to sanity check the size in the % specifier
against the buffer size. Please note that %10s isn't the correct size.
That's a well known off by one error.

Here is static analyser cppcheck doing something suitable:

[sep9a.cc:13]: (error) Width 10 given in format string (no. 1) is larger than
destination buffer 'buf[10]', use %9s to prevent overflowing it.
[sep9a.cc:17]: (error) Width 20 given in format string (no. 1) is larger than
destination buffer 'buf[10]', use %9s to prevent overflowing it.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

Reply via email to