https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106021
Bug ID: 106021 Summary: RFE: more sources of taint: scanf and its cousins Product: gcc Version: 12.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- scanf and its cousins should taint their arguments: #include <stdio.h> int scanf(const char *format, ...); int fscanf(FILE *stream, const char *format, ...); int sscanf(const char *str, const char *format, ...); #include <stdarg.h> int vscanf(const char *format, va_list ap); int vsscanf(const char *str, const char *format, va_list ap); int vfscanf(FILE *stream, const char *format, va_list ap); Possibly add/reuse an attribute for this, or hardcode it. Additionally, we should probably "teach" the analyzer about the semantics of them (possibly by refactoring the -Wformat code?)