<table border="1" cellspacing="0" cellpadding="8">

    <tr>

        <th>Issue</th>

        <td>

            <a href=http://email.email.llvm.org/c/eJylVttu2zgQ_Rr5hbAgUZIvD35wnKbNonsBgrb7ZlDSWGJDkQZJJfV-_c5QkuMgl3axhiCL4vDMmeGZoUpTnzafZMR3LEquo2Q73G9ZKx6AuaPxHmomGD6A9lIoJpzQTDrXQ5RtmW_BAg7RxHlR3bOqFZaV_eEAlkWLZLhwfH5mj62sWlpykEoh-KP0LS5_EKoHlvxImdA1TWvjme6VmnuwndSCiETFVUpceVRcxyPjb8izQk5IZXIcIM8eHU1fEHAgbNVK3bCDsYyi0R4aXDZQQB9ZgL-TuoJL2MpoL6R2zGh1IqqOuJDBAEmsG0PA3uADM71n5sBK0-vaxeyTeYQHsLQmJLE24HTEl57V4KHyASlkNn62C7hGHiRGT_NHa0oFHVLAnFmocFdYpQT6LHupMEN8hfZO4nyaR3wdX27rOQfjkGcYouprDDrbOV9LE7dR9uH1WYuBXU6HO6aOdZgTdEuPwjYVxUcqiPiWxg-YT0wnUmHR8mpYxcbfJBY04QkaoaNrRmYswft1lF2xF7-I3-A1KAFhn-F10DnwyIUwkUbQipP_gDlML9d0PeE-ofEXaBQQbiGqIvBKcNlLAws-zI4iO7uOOI94UYc_Gi0GpNH7k9vshdsjJtoTEq4ldBTVgLSb2Exvip0e8S1FPc0PPp6DokFv9WQwzVKOXxVGuO9Md5RKeNQSlvqrhoPy5geUs_SYZ8yEqGsLzjEPzscVm5vw9I6bW6w-XOFRXuoUkjVZIdUGk1E_le5QKI5NLQibCeipPGmjKTc8wTf-ZXlJHwo-mKXJWyFFPGeTYxbjLl3Qz1CS1-mq4MssHwbsd-iqFqr7UNUkQGNPDKxFR4NbY99evDPHk5VN66lsd1QiPEn4nCfpMuAhg49_fGEf__qMcQQFlCf2W68kxn8Hj8LWDAUiVPy2iy-O-tHXMaB5FqdFnATkz7L8-uFvUqMF2-uhac7bkKPqTEzqg3kvgK5DLDoJfpqq91B0LUlmqO3vfXdkyKAz2PlqOAK2Tmp2vZYkMaGkw04YOjXmzJHW38TFn_DYp_NVnhXrBbG04rGjHbMsdCwqxN5hq7pRssT7j9Viv8jnSur-x7zRPb46ixAfm6MFZUS978Zdn4uunuxjZ37GpjwFNjfLm6wgNvvbP_fYWPcUGj5gqVV7OowsZYLC89YcXVyhbZ7-Ivhume_4BTiesrC3IOoRkMbUxrfr4j8j7qUz1Xq9H5pdSOHli0CU-tavwCZpul0Rajg-nlfirN5k9Tpbi5nofWvsxt_3VevFrLdq03p_dFS9oYc2qNq-jCvT0Saqh-lvjgfldyw_HIZOgUq5KbJFVszaTQb5Kl3m5VoUkKyX9bpI6dUyK4GvqyqdKVGCchs6uTjX8Dh-73A6I2b_n4Hc8ITjlSzTJU95FqPrjK8OSZotARZ5GeUJYFpUTDixsc3MbgJk2TcOJ7EIvHuaFM7JRgNshqN25qVXYTC0Z_rYoMN1O3Tmu7FXW3ZAF46-VSwcjfVTH8XKs_OgGCyQcavpc4OK8OJbbLCehdg2IbB_AeTsARE>53635</a>

        </td>

    </tr>

    <tr>

        <th>Summary</th>

        <td>

            [clang asan] AddressSanitizer fails to report buffer over-read in sscanf on an unterminated buffer

        </td>

    </tr>

    <tr>

      <th>Labels</th>

      <td>

            new issue

      </td>

    </tr>

    <tr>

      <th>Assignees</th>

      <td>

      </td>

    </tr>

    <tr>

      <th>Reporter</th>

      <td>

          tkuchta

      </td>

    </tr>

</table>

<pre>

    Hi, 

I have spotted a potential asan issue: there is a stack char buffer ```buf``` which is filled with a value 0x1 and is not null-terminated [1, 2]. 

We scan the buffer with ```sscanf``` searching for an integer value [3]. Since the buffer contains only 0x1s, the search is going to go out of bounds. However, asan doesn't detect the issue.

I have verified the problem on a recent clang build (version 14).

```

#include <stdio.h>

#include <string.h>

int main(int argc, char* argv[]) {

        char buf[20] =  { 0 };                  // [1]

        memset(buf, 1, sizeof(buf));        // [2]

        int outval = 0;

        int ret = sscanf(buf, "%d", &outval); // [3]

        printf("ret is %d, outval is %d\n", ret, outval);

        return outval;

}

```

Compilation:

```

clang -fsanitize=address test.c -o test

```

Interestingly, ```valgrind``` detects an issue when buffer size is 20 but doesn't detect it for size 10:

```

$ valgrind ./test

==1852734== Memcheck, a memory error detector

==1852734== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info

==1852734== Command: ./test

==1852734==

==1852734== Conditional jump or move depends on uninitialised value(s)

==1852734==    at 0x4843596: rawmemchr (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)

==1852734==    by 0x48F7F35: _IO_str_init_static_internal (strops.c:41)

==1852734==    by 0x48C74C2: _IO_strfile_read (strfile.h:95)

==1852734==    by 0x48C74C2: __isoc99_sscanf (isoc99_sscanf.c:28)

==1852734==    by 0x4011A8: main

```

</pre>

<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJyVVttyozgQ_Rr8ojIFwhj7wQ-OM5nJ1uylKjWz--YS0BhNhOSSRBLv12-3AMepXGaWojBCrdOnW6dbLk192nyREd-xKLmOku3wvGWteADmjsZ7qJlg-ALaS6GYcEIz6VwPUbZlvgULOEQT50V1z6pWWFb2TQOWRctkuHF8fmePraxaWtJIpRD8UfoWlz8I1QNLnlImdE3T2nime6XmHmwntSAiUX6VElce5dfxyPhv5FkhJ6QyOQ6QZ4-Opi8IOBC2aqU-sMZYRtFoDwdcNlBAH1mAv5O6gkvYymgvpHbMaHUiqo64kMEASawPhoC9wRdmes9Mw0rT69rF7It5hAewtCYksTbgdMQLz2rwUPmAFDIbv9gFXCMbidHT_NGaUkGHFDBnFircFVYpgT7LXirMEF-hvZM4ny4ivo4vt_Wcg3HIMwxR9TUGne2cr6WJ2yj79PasxcAup8MTU8c6zAm6pVdhDxXFRyqI-JbGD5hPTCdSYVFxNaxi4zWJBU14gkbo6JqRGUvweR1lV-zVFfEbvAclIOwLvA46Bx65ECbSCFpx8l8wzfRxTfcz7jMaf4VGAeEWoioCrwSXvTaw4MPsKLKz64jziOd1-KHRckAavT-7zV65PWKiPSHhWkJHUQ1Iu4nN9CXf6RHfUtTT_ODjJSga9FZPBtMs5fhNYYTnznRHqYRHLWGpv2k4KG_eoJylxzxjJkRdW3COeXA-rtjchLcP3Nxi9eEKj_JSp5CsyQqpHjAZ9XPpDoXi2NSCsJmAnsqTNppywxP84l-Xl_Sh4INZmrwXUsQXbHLMYtylC_oZSvI6XeW8yBbDgP0OXdVCdR-qmgRo7ImBtehocGvs-4t35niy8tB6KtsdlQhPEj7nSVoEPGTw-Y9v7PNfXzGOoIDyxH7rlcT47-BR2JqhQISK33fxzVE_-j4GNM_iNI-TgPxVlt8__UNqtGB7PTTNeRtyVJ2JSd2YjwLoOsSik-CnqfoIRdeSZIba_tF3R4YMOoOdr4YjYOukZtdrSRITSjrshKFTY84caf1dXLyExz69WC2yfL0kllY8drRjloWORYXYO2xVN0qW-HxaLffLxVxJ3T_ND7rHT2cR4uvhaEEZUe-7cdfnoqsn-9iZn7EpT4HNTXGT5cRmf_vnHhvrnkLDFyy1ak-HkaVMUHjemqOLK7RdpL8IvisWO34Bjqcs7C2IegSkMbXx7Tr_34h76Uy1Xu-HZhdSePkhEKW-9SuwSZpuV4Qajo-XlTirN1m9ztZi5qVXsME-OXQaOjfpnNgOTeZubDuWNUIqR8euhaOxfmoJKCI7D8HjXo-s6eQkPV38rRisZ71Vm9b7o6PeEDr0AWuiL-PKdCQR9TD9zPEY_oHFjcPQh1CHN3m2zPJZu8mgWBcNXy3yvIY8gSKHus5WdZqXCZSwnClRgnIUFHZvDY_jvylOJ9BMbnjC8U6KtOApz-JVkWV81SRpVgAsF2W0SABTpmLiERt7mNlNoFT2B4eTWCDePU8K5-RBQ8gh4Yvet8Zu_H1ftV7MgutNoP4fIrnsHw">