<html>

    <head>

      <base href="http://llvm.org/bugs/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW --- - Static analysis should've caught CVE-2013-6462"

   href="http://llvm.org/bugs/show_bug.cgi?id=18412">18412</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Static analysis should've caught CVE-2013-6462

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>clang

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Static Analyzer

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>kremenek@apple.com

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>jeremyhu@apple.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvmbugs@cs.uiuc.edu

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr></table>

      <p>

        <div>

        <pre><a href="http://lists.x.org/archives/xorg-announce/2014-January/002389.html">http://lists.x.org/archives/xorg-announce/2014-January/002389.html</a>

CVE-2013-6462 is a vulnerability in libXfont (part of X.org) due to not

properly specifying a buffer size when reading in a string via sscanf.

I have provided a reduced version of the issue, and neither static analysis nor

-Wformat=2 produces any indication of the issue with recent trunk:

~ $ clang-mp-3.5 --version

clang version 3.5 (trunk 198565)

Target: x86_64-apple-darwin13.1.0

Thread model: posix

~ $ scan-build-mp-3.5 clang-mp-3.5 -Wall -Wextra -Wformat=2 -c notcaught.c 

scan-build: Using '/opt/local/libexec/llvm-3.5/bin/clang' for static analysis

scan-build: Removing directory

'/var/folders/1b/f1bzh5152y9bvygzl07fn87m0000gn/T/scan-build-2014-01-07-090611-97009-1'

because it contains no reports.

scan-build: No bugs found.

~ $ cat notcaught.c 

#include <stdio.h>

#include <string.h>

int readforme(const char * line, char ** ret) {

    char charName[100];

    if (sscanf(line, "STARTCHAR %s", charName) != 1) {

        *ret = NULL;

        return -1;

    }

    *ret = strdup(charName);

    return 0;

}

---

Note that %s needs to be %99s in order to be safe.

---

cppcheck caught the issue:

  [lib/libXfont/src/bitmap/bdfread.c:341]: (warning)

      scanf without field width limits can crash with huge input data.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>