[clang] ab09043 - [clang] Fix crash when parsing scanf format string with missing arguments

via cfe-commits cfe-commits at lists.llvm.org
Mon Sep 5 01:55:11 PDT 2022 

Author: serge-sans-paille
Date: 2022-09-05T10:54:18+02:00
New Revision: ab09043a1985bfb9f1e4393a29a9d83326d306fe

URL: https://github.com/llvm/llvm-project/commit/ab09043a1985bfb9f1e4393a29a9d83326d306fe
DIFF: https://github.com/llvm/llvm-project/commit/ab09043a1985bfb9f1e4393a29a9d83326d306fe.diff

LOG: [clang] Fix crash when parsing scanf format string with missing arguments

When parsing a format string with less argument than specified, one should check
argument access because there may be no such argument.

This fixes #57517

Differential Revision: https://reviews.llvm.org/D133197

Added: 
    

Modified: 
    clang/lib/Sema/SemaChecking.cpp
    clang/test/Sema/format-strings-scanf.c

Removed: 
    


################################################################################
diff  --git a/clang/lib/Sema/SemaChecking.cpp b/clang/lib/Sema/SemaChecking.cpp
index 897ab701493c2..afe99ad24fb9d 100644
--- a/clang/lib/Sema/SemaChecking.cpp
+++ b/clang/lib/Sema/SemaChecking.cpp
@@ -1066,6 +1066,9 @@ void Sema::checkFortifiedBuiltinMemoryFunction(FunctionDecl *FD,
       return llvm::None;
     unsigned NewIndex = *IndexOptional;
 
+    if (NewIndex >= TheCall->getNumArgs())
+      return llvm::None;
+
     const Expr *ObjArg = TheCall->getArg(NewIndex);
     uint64_t Result;
     if (!ObjArg->tryEvaluateObjectSize(Result, getASTContext(), BOSType))

diff  --git a/clang/test/Sema/format-strings-scanf.c b/clang/test/Sema/format-strings-scanf.c
index aebb68c37fb98..eb5b8ec36bf7a 100644
--- a/clang/test/Sema/format-strings-scanf.c
+++ b/clang/test/Sema/format-strings-scanf.c
@@ -69,6 +69,11 @@ void bad_length_modifiers(char *s, void *p, wchar_t *ws, long double *ld) {
   scanf("%#.2Lf", ld); // expected-warning{{invalid conversion specifier '#'}}
 }
 
+void missing_argument_with_length_modifier() {
+  char buf[30];
+  scanf("%s:%900s", buf); // expected-warning{{more '%' conversions than data arguments}}
+}
+
 // Test that the scanf call site is where the warning is attached.  If the
 // format string is somewhere else, point to it in a note.
 void pr9751(void) {

More information about the cfe-commits mailing list