[PATCH] D133197: [clang] Fix crash when parsing scanf format string with missing arguments

Fri Sep 2 04:41:55 PDT 2022

serge-sans-paille created this revision.
Herald added a project: All.
serge-sans-paille requested review of this revision.
Herald added a project: clang.
Herald added a subscriber: cfe-commits.

When parsing a format string with less argument than specified, one should check
argument access because there may be no such argument.

This fixes #57517


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D133197

Files:
  clang/lib/Sema/SemaChecking.cpp
  clang/test/Sema/format-strings-scanf.c


Index: clang/test/Sema/format-strings-scanf.c
===================================================================

--- clang/test/Sema/format-strings-scanf.c
+++ clang/test/Sema/format-strings-scanf.c
@@ -69,6 +69,11 @@
   scanf("%#.2Lf", ld); // expected-warning{{invalid conversion specifier '#'}}
 }
 
+void missing_argument_with_length_modifier() {
+  char buf[30];
+  scanf("%s:%900s", buf); // expected-warning{{more '%' conversions than data arguments}}
+}
+
 // Test that the scanf call site is where the warning is attached.  If the
 // format string is somewhere else, point to it in a note.
 void pr9751(void) {
Index: clang/lib/Sema/SemaChecking.cpp
===================================================================
--- clang/lib/Sema/SemaChecking.cpp
+++ clang/lib/Sema/SemaChecking.cpp
@@ -1066,6 +1066,9 @@
       return llvm::None;
     unsigned NewIndex = *IndexOptional;
 
+    if (NewIndex >= TheCall->getNumArgs())
+      return llvm::None;
+
     const Expr *ObjArg = TheCall->getArg(NewIndex);
     uint64_t Result;
     if (!ObjArg->tryEvaluateObjectSize(Result, getASTContext(), BOSType))


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D133197.457560.patch
Type: text/x-patch
Size: 1114 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20220902/73d94ba7/attachment.bin>
