[llvm-bugs] [Bug 36380] New: No sanity checking of array size with width specifier ?
via llvm-bugs
llvm-bugs at lists.llvm.org
Wed Feb 14 05:17:13 PST 2018
https://bugs.llvm.org/show_bug.cgi?id=36380
Bug ID: 36380
Summary: No sanity checking of array size with width specifier
?
Product: new-bugs
Version: 5.0
Hardware: PC
OS: Linux
Status: NEW
Severity: enhancement
Priority: P
Component: new bugs
Assignee: unassignedbugs at nondot.org
Reporter: dcb314 at hotmail.com
CC: llvm-bugs at lists.llvm.org
Given the following code:
# include <stdio.h>
extern void g( FILE * fp);
void f( FILE * fp)
{
char buf[ 10];
while (fscanf( fp, "%10s", buf))
;
while (fscanf( fp, "%5s", buf))
;
while (fscanf( fp, "%20s", buf))
;
g( fp);
}
then clang doesn't seem to sanity check the size in the % specifier
against the buffer size. Please note that %10s isn't the correct size.
That's a well known off by one error.
Here is static analyser cppcheck doing something suitable:
[sep9a.cc:13]: (error) Width 10 given in format string (no. 1) is larger than
destination buffer 'buf[10]', use %9s to prevent overflowing it.
[sep9a.cc:17]: (error) Width 20 given in format string (no. 1) is larger than
destination buffer 'buf[10]', use %9s to prevent overflowing it.
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20180214/b825452c/attachment.html>
More information about the llvm-bugs
mailing list