<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/61768>61768</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            ASAN: invalid handling of `scanf("%mc")` format option
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          nalajcie
      </td>
    </tr>
</table>

<pre>
    Test case with false positive:

```c
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char **argv)
{
    const char *buff = "foo";
 char *res = NULL;

    // ASAN fails inside scanf
    sscanf(buff, "%mc", &res);

    free(res);
    return 0;
}
```

The above code fails under `glibc-2.35` (but the responsible code wasn't changed in the last 9 years).


Responsible code: https://github.com/llvm/llvm-project/blob/main/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors_format.inc#L347

IMHO it's invalid to assume the NULL character would be appended in case of `%[precision]mc` so `strlen` can't be used here (and +1 is strictly invalid). POSIX-2008:TC2 standard is kind of ambiguous about that, but I've found discussion about changes going into TC3 (when it would be published) which explicitly states that NULL character would be appended in `s` case only: https://www.austingroupbugs.net/view.php?id=1173

Other standard libraries aside of `glibc` were not inspected.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJyUVMFu4zYQ_Rr6MoggkZbtHHxw4hpdIN0U3RToLaDIsTRbmhQ4lNX06wtKdp3NtkALGBTpGZKP770ZzUytR9yK-kHU-4UeUhfi1munvxrCRRPs2_YFOYHRjDBS6uCoHSP0gSnRGYXaiXIvyuu4KuefuaylIm_cYBGEeuRkKRSdUD_8S9RR8z48jeQTnDR5ITd5qmNrhHwE0-kIQu6E3OnYnoW8v2xaP8wTAAATfMZ-SW2G4xGE2oOQ8hiCkFKoa_I1JyJPKZ9_fXr6O3o7UMiDkAfYfdl9hqMmx0CeySKw0f54y-N5LTf5zgw3Xybrk5m-ebmKyBn093ccI6KQmw_xHImYhuihvG1a7z_w_v6wlw5BN-GMYILFC97BW4wgVmXrqDF3slC1WJUwQU2QOoSI3AfP1LjLxlGzF3I9EelbtEB-SnSaE9zDG-qYoRbfGGEaf_lwlFA76FLqOdtmorKl1A1NYcJJyINz5-vnro_hK5ok5KFxoRHyMHvgYMKpJ4fxLuaYoxxi7SnRnxhfTTidgv-Hv17JJ4wG-xQivx5DPOlUkDdCqie1XL8H_emnH5-BkpDrrO5ZO7KQAmjm4YTTw7M5JsdokzDCGAZnoUHQfY_ezgRNBROOmWkha1E_9BENMQUv6v3JZM455Cin6NDntdEzzQ3CwGihw4hZGO0tCPlQATFwimSSe7siy7zDz89fPv12J8tyI9Tu5VECJ-2tjjbv-J28zUD0qaF2CANnT0xS65StmGX_JOT6jHAMg7dgic3AGeklc5adoQ3kWyCfArw8qoxs7NADpRsD_dA44g4zLhg7Mh3gH70jQxkzJ52Qp5v_E4eZnZmYzKV3b9_7ZxzHQg-cyLcxDH0ztFx4zNY4E45F3_VCHcgKta-qtXov83PqMN6YctREHQkZ9FTQs3RTkWQIY9bCh5TrvUeT0BYLu1X2Xt3rBW6r1aYsq_WqLhfdVhldrcraVKhx3VRao2waK21VLhsj69WCtrKUqlRyU9VqWZVFZZul1rgsjVmvlNqIZYknTa7IpVCE2C6IecDtqlqvNgunG3Q89WwpPY4wBXNnqfeLuJ3KJxMhlqUjTnw7JVFyuM3dKzN5NXenvXVZ2vnN19b1Tcu6zyTMZQOhTxT8Yohu-7-LeYLKQh6mp_wVAAD__5n2Bqg">