[clang] ab09043 - [clang] Fix crash when parsing scanf format string with missing arguments
via cfe-commits
cfe-commits at lists.llvm.org
Mon Sep 5 01:55:11 PDT 2022
Author: serge-sans-paille
Date: 2022-09-05T10:54:18+02:00
New Revision: ab09043a1985bfb9f1e4393a29a9d83326d306fe
URL: https://github.com/llvm/llvm-project/commit/ab09043a1985bfb9f1e4393a29a9d83326d306fe
DIFF: https://github.com/llvm/llvm-project/commit/ab09043a1985bfb9f1e4393a29a9d83326d306fe.diff
LOG: [clang] Fix crash when parsing scanf format string with missing arguments
When parsing a format string with less argument than specified, one should check
argument access because there may be no such argument.
This fixes #57517
Differential Revision: https://reviews.llvm.org/D133197
Added:
Modified:
clang/lib/Sema/SemaChecking.cpp
clang/test/Sema/format-strings-scanf.c
Removed:
################################################################################
diff --git a/clang/lib/Sema/SemaChecking.cpp b/clang/lib/Sema/SemaChecking.cpp
index 897ab701493c2..afe99ad24fb9d 100644
--- a/clang/lib/Sema/SemaChecking.cpp
+++ b/clang/lib/Sema/SemaChecking.cpp
@@ -1066,6 +1066,9 @@ void Sema::checkFortifiedBuiltinMemoryFunction(FunctionDecl *FD,
return llvm::None;
unsigned NewIndex = *IndexOptional;
+ if (NewIndex >= TheCall->getNumArgs())
+ return llvm::None;
+
const Expr *ObjArg = TheCall->getArg(NewIndex);
uint64_t Result;
if (!ObjArg->tryEvaluateObjectSize(Result, getASTContext(), BOSType))
diff --git a/clang/test/Sema/format-strings-scanf.c b/clang/test/Sema/format-strings-scanf.c
index aebb68c37fb98..eb5b8ec36bf7a 100644
--- a/clang/test/Sema/format-strings-scanf.c
+++ b/clang/test/Sema/format-strings-scanf.c
@@ -69,6 +69,11 @@ void bad_length_modifiers(char *s, void *p, wchar_t *ws, long double *ld) {
scanf("%#.2Lf", ld); // expected-warning{{invalid conversion specifier '#'}}
}
+void missing_argument_with_length_modifier() {
+ char buf[30];
+ scanf("%s:%900s", buf); // expected-warning{{more '%' conversions than data arguments}}
+}
+
// Test that the scanf call site is where the warning is attached. If the
// format string is somewhere else, point to it in a note.
void pr9751(void) {
More information about the cfe-commits
mailing list