| Issue |
143334
|
| Summary |
Missing -Wformat-overflow diagnostics for positional directives with dynamic width or precision (*m$)
|
| Labels |
new issue
|
| Assignees |
|
| Reporter |
hutuhutong
|
### Summary
as far as i know,this problem exists in >13,0,0 , <20.1,0。Clang does not emit a buffer overflow warning when __builtin_sprintf is used with a positional directive and dynamic width specifier, such as %1$*1$i. This leads to missed diagnostics for clearly out-of-bounds writes.
By contrast, Clang does issue warnings for similar overflows in strcpy, sprintf when the format is constant or simpler.This inconsistency can silently hide real bugs and should be addressed.
### Details
========test.c========
#include <stdio.h>
#include <string.h>
int main() {
char test[5];
strcpy(test, "overflow!");
printf("Copied string: %s\n", test);
char test1[5];
int n = __builtin_sprintf(test1, "%1$*1$i", 14);
__builtin_printf("%i:\"%s\"\n", n, test1);
char test2[5];
int len = sprintf(test2, "0123456789ABCDEF");
printf("len=%d, d=\"%s\"\n", len, test2);
return 0;
}
========output========
$ clang -Wall -Wextra -O0 -o test test.c
test.c:6:5: warning: 'strcpy' will always overflow; destination buffer has size 5, but the source string has length 10 (including NUL byte) [-Wfortify-source]
6 | strcpy(test, "overflow!");
| ^
test.c:14:15: warning: 'sprintf' will always overflow; destination buffer has size 5, but format string expands to at least 17 [-Wformat-overflow]
14 | int len = sprintf(test2, "0123456789ABCDEF");
| ^
2 warnings generated.
$ ./test
Copied string: overflow!
14:" 14"
len=16, d="0123456789ABCDEF"
![]()
_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
