http://llvm.org/bugs/show_bug.cgi?id=18412
Bug ID: 18412
Summary: Static analysis should've caught CVE-2013-6462
Product: clang
Version: unspecified
Hardware: PC
OS: All
Status: NEW
Severity: normal
Priority: P
Component: Static Analyzer
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected]
Classification: Unclassified
http://lists.x.org/archives/xorg-announce/2014-January/002389.html
CVE-2013-6462 is a vulnerability in libXfont (part of X.org) due to not
properly specifying a buffer size when reading in a string via sscanf.
I have provided a reduced version of the issue, and neither static analysis nor
-Wformat=2 produces any indication of the issue with recent trunk:
~ $ clang-mp-3.5 --version
clang version 3.5 (trunk 198565)
Target: x86_64-apple-darwin13.1.0
Thread model: posix
~ $ scan-build-mp-3.5 clang-mp-3.5 -Wall -Wextra -Wformat=2 -c notcaught.c
scan-build: Using '/opt/local/libexec/llvm-3.5/bin/clang' for static analysis
scan-build: Removing directory
'/var/folders/1b/f1bzh5152y9bvygzl07fn87m0000gn/T/scan-build-2014-01-07-090611-97009-1'
because it contains no reports.
scan-build: No bugs found.
~ $ cat notcaught.c
#include <stdio.h>
#include <string.h>
int readforme(const char * line, char ** ret) {
char charName[100];
if (sscanf(line, "STARTCHAR %s", charName) != 1) {
*ret = NULL;
return -1;
}
*ret = strdup(charName);
return 0;
}
---
Note that %s needs to be %99s in order to be safe.
---
cppcheck caught the issue:
[lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
scanf without field width limits can crash with huge input data.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
LLVMbugs mailing list
[email protected]
http://lists.cs.uiuc.edu/mailman/listinfo/llvmbugs
