<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/64611>64611</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            Use of malloc, fopen and sscanf in function _initializeAvailabilityCheck tagged as insecure API in penetration testing
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          kmaschke85
      </td>
    </tr>
</table>

<pre>
    Our app has been put through penetration testing. The app has been tagged as making use of insecure APIs because we make use of the C functions `malloc`, `sscanf` and `fopen`:

**CWE-676: Use of Potentially Dangerous Function**
_The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely._
https://cwe.mitre.org/data/definitions/676.html

**CWE-789: Memory Allocation with Excessive Size Value**
_The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated._
https://cwe.mitre.org/data/definitions/789.html

By disassembling our app it turned out that the use of `#available`/`@available` attributes is the cause of the use. 
https://github.com/llvm/llvm-project/blob/main/compiler-rt/lib/builtins/os_version_check.c

The testers recommended to use
- `fopen_s` instead of `fopen`
- `sscanf_s` instead of `sscanf`
- `calloc` instead of `malloc`

Is there any chance this could be fixed? Thanks!

</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJykVU1v40YM_TXyhYghy7FsH3zIZtfAHoou0G17NKgRbbEezRhDjhPvry8o2YnbpoeigCBB4sfwPZJPKMKHQLQpFp-KxecJZu1i2hx7FNcdabWYNLG9bH7OCfB0gg4FGqIAp6ygXYr50MGJAmlC5RhASZTDYQrfO_prhOLhQC2gQI9HDgfIQhD3wEHI5UTw9O2ruTo0wwuZG92ctCN4hn0Ozk4RKOqyR--jK-qyqJ7tXcRh2Bd1CRha-7CPJwpmnz8V5eeivN0ru55___JQL-ti_gS_jkd8i0pBGb2_wGcMB0oxC2yvR45RY4adYTul2GanwOEcjySAcLpL0L4luNUM2qGCi9m3wEGHaAKEc_aBEjbsWS_Ae2AFFsNtfi6mRE79xUA2A-f0ntJhAPQSoaExQHBP_jLdjXV2qicx9NW2qLbuhaY9a6JpTIei2raoaA_ac-CB1aLa1st62mnvPyZsuVobYT9RH9MFnoz_sesvrB18eXUkwmeCX_gHwW_oM_0rbTgGk0A_ZmvQAMQAGCAHTVmUWkPtMR0IxFKex5QjE6zQRhIIUYGC2AQNFBtDgzfLUBcHoNcTOaUWPPesYhns_BebQkwNa8J0AexjDio2C9eadGD2Vmr7P3hdrtb_4PXTBVoWFKG-8VZKvC4ZK2hOwegYOn4FdV2FYeLneEb22HgaXrd2fyzvPwKqJm6yUcwyJBg367pNWWgKH-E5sHa5mbrYF9XW-_Pt8XBK8Q9yWlTbxsemqLY9cjACYn9iT-khmc2zmZrMXnmAHmV3piQcw8515I5Td0-CzYRpBiWBRC72PYWWWqM-C40-D2_bvBNDxkGUsL2S8bbm776jFHzk_CYSd97uJiR_830XmLt6vw5UJgIMF3AdBmdjx3Ld7IZgz6_UFvMtfO8wHKWoZmPkpN3M2_V8jRPazOr1bPlYzWblpNsslkvX4r5d14R7WuGqWS7L1d7Ro1u1rqkmvKnKal6uZrNyVc0W5bSssV0ulhVVTV2uyFpPPbKfWp9sDCcskmlTP9az2cRjQ14Gga-qQC8wGIuqMr1Pm6G3TT5I8Vh6FpX3LMrqaXPVxysd1TMMjA8qO9IJHN41aTdMPXr-QU_jOA7K9mytv_sH3Ku-xX_wD5nk5Df_eTYHcIOUGfg_AwAA__9BF0qs">