This is an archive of the discontinued LLVM Phabricator instance.

Differential D111833

[clang] Fortify warning for scanf calls with field width too big.
ClosedPublic

Authored by mbenfield on Oct 14 2021, 1:25 PM.

Details

Reviewers
enh
george.burgess.iv
Commits
rG2db66f8d48be: [clang] Fortify warning for scanf calls with field width too big.
rG5a8c1736289f: [clang] Fortify warning for scanf calls with field width too big.
rG15e3d39110fa: [clang] Fortify warning for scanf calls with field width too big.

Diff Detail

Event Timeline

mbenfield created this revision.Oct 14 2021, 1:25 PM
Herald added a reviewer: george.burgess.iv. · View Herald TranscriptOct 14 2021, 1:25 PM
mbenfield requested review of this revision.Oct 14 2021, 1:25 PM
Herald added a project: Restricted Project. · View Herald TranscriptOct 14 2021, 1:25 PM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B128939: Diff 379819.Oct 14 2021, 1:59 PM
enh added a comment.Oct 14 2021, 2:30 PM

"shut up and take my money!" :-)

clang/lib/Sema/SemaChecking.cpp
678

(stray tabs?)

mbenfield added inline comments.Oct 15 2021, 9:41 AM
clang/lib/Sema/SemaChecking.cpp
678

Not sure what you're referring to. AFAICT there are no tabs in this file.

enh added inline comments.Oct 15 2021, 9:53 AM
clang/lib/Sema/SemaChecking.cpp
678

oh, gerrit uses the >> symbol to mean "tab". is this tool just saying "indentation changed", not specifically "someone added a tab"?

mbenfield added inline comments.Oct 15 2021, 2:30 PM
clang/lib/Sema/SemaChecking.cpp
678

Ah I see. Yes, I think that's correct, that it doesn't mean a tab here.

mbenfield removed a reviewer: gbiv.Oct 18 2021, 11:06 AM
george.burgess.iv accepted this revision.Oct 19 2021, 6:25 PM

LGTM % nits -- thanks for this! :)

clang/include/clang/Basic/DiagnosticSemaKinds.td
836

nit: s/Warning </Warning</

838

nit: please s/null/NUL/ for consistency with elsewhere

clang/lib/Sema/SemaChecking.cpp
415

optional: llvm generally prefers FunctionRefs for simplicity and speed. if it's easy to refactor to use those (seems like it may be), please do. otherwise, it's not a big deal.

This revision is now accepted and ready to land.Oct 19 2021, 6:25 PM
mbenfield updated this revision to Diff 380956.Oct 20 2021, 7:59 AM

respond to comments: null to NUL, remove stray space, use function_ref

mbenfield marked 5 inline comments as done.Oct 20 2021, 8:01 AM
Harbormaster completed remote builds in B129732: Diff 380956.Oct 20 2021, 8:33 AM
george.burgess.iv accepted this revision.Oct 20 2021, 2:15 PM

LGTM. Thanks again!

clang/lib/Sema/SemaChecking.cpp
749

nit: const auto if possible (and below)

770

Please put this in a variable and pass that into H's constructor. function_ref doesn't own the function it points to, so any use of this at line >= 758 (e.g., line 768) is a use-after-free.

mbenfield updated this revision to Diff 382075.Oct 25 2021, 11:48 AM

rebase and rerun tests

Harbormaster completed remote builds in B130520: Diff 382075.Oct 25 2021, 12:23 PM
nickdesaulniers added a subscriber: kees.Oct 25 2021, 1:25 PM
nickdesaulniers added a subscriber: nickdesaulniers.
mbenfield updated this revision to Diff 382802.Oct 27 2021, 2:34 PM

rebase and rerun tests

Harbormaster completed remote builds in B131044: Diff 382802.Oct 27 2021, 3:23 PM
mbenfield updated this revision to Diff 382840.Oct 27 2021, 4:16 PM

fix function_ref use-after-free

mbenfield updated this revision to Diff 382845.Oct 27 2021, 4:20 PM

const

mbenfield marked 2 inline comments as done.Oct 27 2021, 4:22 PM
Harbormaster completed remote builds in B131075: Diff 382845.Oct 27 2021, 4:53 PM
Closed by commit rG15e3d39110fa: [clang] Fortify warning for scanf calls with field width too big. (authored by mbenfield). · Explain WhyOct 27 2021, 8:00 PM
This revision was automatically updated to reflect the committed changes.
mbenfield added a commit: rG15e3d39110fa: [clang] Fortify warning for scanf calls with field width too big..
thakis added a subscriber: thakis.Oct 28 2021, 7:41 AM

This doesn't seem to be working very well:

thakis@thakis:~/src/llvm-project$ cat test.cc
#include <inttypes.h>
#include <stdio.h>
#include <stdint.h>

int main() {
  uint16_t hextets[8];
  int chars_scanned;
  char buf[] = "1234:5678:9abc:def0:1234:5678:9abc:def0";
  sscanf(buf,
	 "%4" SCNx16 ":%4" SCNx16 ":%4" SCNx16 ":%4" SCNx16 ":%4" SCNx16
	 ":%4" SCNx16 ":%4" SCNx16 ":%4" SCNx16 "%n",
	 &hextets[0], &hextets[1], &hextets[2], &hextets[3], &hextets[4],
	 &hextets[5], &hextets[6], &hextets[7], &chars_scanned);

  for (int i = 0; i < 8; ++i)
    printf("%x ", hextets[i]);
  printf("%d\n", chars_scanned);
}
thakis@thakis:~/src/llvm-project$ out/gn/bin/clang test.cc -Wall
test.cc:9:3: warning: 'sscanf' may overflow; destination buffer in argument 9 has size 4, but the corresponding field width plus NUL byte is 5 [-Wfortify-source]
  sscanf(buf,
  ^
test.cc:9:3: warning: 'sscanf' may overflow; destination buffer in argument 10 has size 2, but the corresponding field width plus NUL byte is 5 [-Wfortify-source]
2 warnings generated.
thakis@thakis:~/src/llvm-project$ ./a.out 
1234 5678 9abc def0 1234 5678 9abc def0 39
  1. The warning is emitted twice, but doesn't point at code the 2nd time round
  2. That code looks correct to me (ie there shouldn't be any warnings), maybe %n isn't handled correctly?
  3. The diag points at the start of the scanf instead of at the faulty arg.

Especially 2 is breaking builds, so I'll revert this for now. Looks like a cool warning though, looking forward to the relanding :)

thakis added a reverting change: rGbf87294cd4fa: Revert "[clang] Fortify warning for scanf calls with field width too big.".Oct 28 2021, 7:42 AM
mbenfield reopened this revision.Oct 28 2021, 9:31 AM
This revision is now accepted and ready to land.Oct 28 2021, 9:31 AM
mbenfield updated this revision to Diff 383064.Oct 28 2021, 9:31 AM

Only diagnose if conversion specifier is %s.

Give the location of the particular argument rather than the location of the function call.

Test to make sure we don't warn on %d.

mbenfield added a comment.Oct 28 2021, 9:34 AM

Thanks for reverting. Here's another try.

This just shouldn't be warning on any specifier other than %s, so I fixed that.

As far as not pointing at code for the second warning, I verified manually that it does now point at code even when warning twice, but it doesn't seem to be feasible to include a test for that.

enh accepted this revision.Oct 28 2021, 9:41 AM

add tests for %c and %[ too? (it's genuinely unclear to me from a quick skim whether this patch covers them.)

Harbormaster completed remote builds in B131225: Diff 383064.Oct 28 2021, 10:16 AM
mbenfield updated this revision to Diff 383161.Oct 28 2021, 2:10 PM

Support %c and %[ specifiers.

Changed the diagnostic message to accommodate.

mbenfield added a comment.EditedOct 28 2021, 2:10 PM

Previously this patch did not cover %c and %[, but now it does.

Harbormaster completed remote builds in B131295: Diff 383161.Oct 28 2021, 2:45 PM
enh added a comment.Oct 28 2021, 5:12 PM
In D111833#3094868, @mbenfield wrote:

Previously this patch did not cover %c and %[, but now it does.

thanks!

Closed by commit rG5a8c1736289f: [clang] Fortify warning for scanf calls with field width too big. (authored by mbenfield). · Explain WhyNov 1 2021, 10:18 AM
This revision was automatically updated to reflect the committed changes.
mbenfield added a commit: rG5a8c1736289f: [clang] Fortify warning for scanf calls with field width too big..
mbenfield added a reverting change: rGd51a8296d374: Revert "[clang] Fortify warning for scanf calls with field width too big.".Nov 1 2021, 12:37 PM
mbenfield reopened this revision.Nov 3 2021, 7:35 AM
This revision is now accepted and ready to land.Nov 3 2021, 7:35 AM
mbenfield updated this revision to Diff 384431.Nov 3 2021, 7:37 AM

Ignore specifiers with *.

Harbormaster completed remote builds in B132204: Diff 384431.Nov 3 2021, 8:03 AM
Closed by commit rG2db66f8d48be: [clang] Fortify warning for scanf calls with field width too big. (authored by mbenfield). · Explain WhyNov 8 2021, 9:44 AM
This revision was automatically updated to reflect the committed changes.
mbenfield added a commit: rG2db66f8d48be: [clang] Fortify warning for scanf calls with field width too big..

Revision Contents

PathSize
clang/
include/
clang/
Basic/
4 lines
lib/
Sema/
146 lines
test/
Sema/
68 lines

Diff 385538

clang/include/clang/Basic/DiagnosticSemaKinds.td

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 827 Lines▼ Show 20 Linesdef warn_fortify_strlen_overflow: Warning<
" but the source string has length %2 (including NUL byte)">, " but the source string has length %2 (including NUL byte)">,
InGroup<FortifySource>; InGroup<FortifySource>;
def warn_fortify_source_format_overflow : Warning< def warn_fortify_source_format_overflow : Warning<
"'%0' will always overflow; destination buffer has size %1," "'%0' will always overflow; destination buffer has size %1,"
" but format string expands to at least %2">, " but format string expands to at least %2">,
InGroup<FortifySource>; InGroup<FortifySource>;
def warn_fortify_scanf_overflow : Warning<
george.burgess.ivUnsubmitted
Done
ReplyInline Actions

nit: s/Warning </Warning</

george.burgess.iv: nit: s/Warning </Warning</
"'%0' may overflow; destination buffer in argument %1 has size "
"%2, but the corresponding specifier may require size %3">,
george.burgess.ivUnsubmitted
Done
ReplyInline Actions

nit: please s/null/NUL/ for consistency with elsewhere

george.burgess.iv: nit: please s/null/NUL/ for consistency with elsewhere
InGroup<FortifySource>;
/// main() /// main()
// static main() is not an error in C, just in C++. // static main() is not an error in C, just in C++.
def warn_static_main : Warning<"'main' should not be declared static">, def warn_static_main : Warning<"'main' should not be declared static">,
InGroup<Main>; InGroup<Main>;
def err_static_main : Error<"'main' is not allowed to be declared static">; def err_static_main : Error<"'main' is not allowed to be declared static">;
def err_inline_main : Error<"'main' is not allowed to be declared inline">; def err_inline_main : Error<"'main' is not allowed to be declared inline">;
def ext_variadic_main : ExtWarn< def ext_variadic_main : ExtWarn<
▲ Show 20 LinesShow All 10,574 LinesShow Last 20 Lines

clang/lib/Sema/SemaChecking.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 402 Lines▼ Show 20 Linesstatic bool SemaBuiltinCallWithStaticChain(Sema &S, CallExpr *BuiltinCall) {
BuiltinCall->setCallee(Builtin); BuiltinCall->setCallee(Builtin);
BuiltinCall->setArg(1, ChainResult.get()); BuiltinCall->setArg(1, ChainResult.get());
return false; return false;
} }
namespace { namespace {
class ScanfDiagnosticFormatHandler
: public analyze_format_string::FormatStringHandler {
// Accepts the argument index (relative to the first destination index) of the
// argument whose size we want.
using ComputeSizeFunction =
george.burgess.ivUnsubmitted
Done
ReplyInline Actions

optional: llvm generally prefers FunctionRefs for simplicity and speed. if it's easy to refactor to use those (seems like it may be), please do. otherwise, it's not a big deal.

george.burgess.iv: optional: llvm generally prefers `FunctionRef`s for simplicity and speed. if it's easy to…
llvm::function_ref<Optional<llvm::APSInt>(unsigned)>;
// Accepts the argument index (relative to the first destination index), the
// destination size, and the source size).
using DiagnoseFunction =
llvm::function_ref<void(unsigned, unsigned, unsigned)>;
ComputeSizeFunction ComputeSizeArgument;
DiagnoseFunction Diagnose;
public:
ScanfDiagnosticFormatHandler(ComputeSizeFunction ComputeSizeArgument,
DiagnoseFunction Diagnose)
: ComputeSizeArgument(ComputeSizeArgument), Diagnose(Diagnose) {}
bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS,
const char *StartSpecifier,
unsigned specifierLen) override {
if (!FS.consumesDataArgument())
return true;
unsigned NulByte = 0;
switch ((FS.getConversionSpecifier().getKind())) {
default:
return true;
case analyze_format_string::ConversionSpecifier::sArg:
case analyze_format_string::ConversionSpecifier::ScanListArg:
NulByte = 1;
break;
case analyze_format_string::ConversionSpecifier::cArg:
break;
}
auto OptionalFW = FS.getFieldWidth();
if (OptionalFW.getHowSpecified() !=
analyze_format_string::OptionalAmount::HowSpecified::Constant)
return true;
unsigned SourceSize = OptionalFW.getConstantAmount() + NulByte;
auto DestSizeAPS = ComputeSizeArgument(FS.getArgIndex());
if (!DestSizeAPS)
return true;
unsigned DestSize = DestSizeAPS->getZExtValue();
if (DestSize < SourceSize)
Diagnose(FS.getArgIndex(), DestSize, SourceSize);
return true;
}
};
class EstimateSizeFormatHandler class EstimateSizeFormatHandler
: public analyze_format_string::FormatStringHandler { : public analyze_format_string::FormatStringHandler {
size_t Size; size_t Size;
public: public:
EstimateSizeFormatHandler(StringRef Format) EstimateSizeFormatHandler(StringRef Format)
: Size(std::min(Format.find(0), Format.size()) + : Size(std::min(Format.find(0), Format.size()) +
1 /* null byte always written by sprintf */) {} 1 /* null byte always written by sprintf */) {}
▲ Show 20 LinesShow All 191 Lines▼ Show 20 Lines auto ComputeExplicitObjectSizeArgument =
return Result.Val.getInt(); return Result.Val.getInt();
}; };
auto ComputeSizeArgument = [&](unsigned Index) -> Optional<llvm::APSInt> { auto ComputeSizeArgument = [&](unsigned Index) -> Optional<llvm::APSInt> {
// If the parameter has a pass_object_size attribute, then we should use its // If the parameter has a pass_object_size attribute, then we should use its
// (potentially) more strict checking mode. Otherwise, conservatively assume // (potentially) more strict checking mode. Otherwise, conservatively assume
// type 0. // type 0.
int BOSType = 0; int BOSType = 0;
// This check can fail for variadic functions.
if (Index < FD->getNumParams()) {
if (const auto *POS = if (const auto *POS =
enhUnsubmitted
Done
ReplyInline Actions

(stray tabs?)

enh: (stray tabs?)
mbenfieldAuthorUnsubmitted
Done
ReplyInline Actions

Not sure what you're referring to. AFAICT there are no tabs in this file.

mbenfield: Not sure what you're referring to. AFAICT there are no tabs in this file.
enhUnsubmitted
Done
ReplyInline Actions

oh, gerrit uses the >> symbol to mean "tab". is this tool just saying "indentation changed", not specifically "someone added a tab"?

enh: oh, gerrit uses the >> symbol to mean "tab". is this tool just saying "indentation changed"…
mbenfieldAuthorUnsubmitted
Done
ReplyInline Actions

Ah I see. Yes, I think that's correct, that it doesn't mean a tab here.

mbenfield: Ah I see. Yes, I think that's correct, that it doesn't mean a tab here.
FD->getParamDecl(Index)->getAttr<PassObjectSizeAttr>()) FD->getParamDecl(Index)->getAttr<PassObjectSizeAttr>())
BOSType = POS->getType(); BOSType = POS->getType();
}
const Expr *ObjArg = TheCall->getArg(Index); const Expr *ObjArg = TheCall->getArg(Index);
uint64_t Result; uint64_t Result;
if (!ObjArg->tryEvaluateObjectSize(Result, getASTContext(), BOSType)) if (!ObjArg->tryEvaluateObjectSize(Result, getASTContext(), BOSType))
return llvm::None; return llvm::None;
// Get the object size in the target's size_t width. // Get the object size in the target's size_t width.
return llvm::APSInt::getUnsigned(Result).extOrTrunc(SizeTypeWidth); return llvm::APSInt::getUnsigned(Result).extOrTrunc(SizeTypeWidth);
}; };
auto ComputeStrLenArgument = [&](unsigned Index) -> Optional<llvm::APSInt> { auto ComputeStrLenArgument = [&](unsigned Index) -> Optional<llvm::APSInt> {
Expr *ObjArg = TheCall->getArg(Index); Expr *ObjArg = TheCall->getArg(Index);
uint64_t Result; uint64_t Result;
if (!ObjArg->tryEvaluateStrLen(Result, getASTContext())) if (!ObjArg->tryEvaluateStrLen(Result, getASTContext()))
return llvm::None; return llvm::None;
// Add 1 for null byte. // Add 1 for null byte.
return llvm::APSInt::getUnsigned(Result + 1).extOrTrunc(SizeTypeWidth); return llvm::APSInt::getUnsigned(Result + 1).extOrTrunc(SizeTypeWidth);
}; };
Optional<llvm::APSInt> SourceSize; Optional<llvm::APSInt> SourceSize;
Optional<llvm::APSInt> DestinationSize; Optional<llvm::APSInt> DestinationSize;
unsigned DiagID = 0; unsigned DiagID = 0;
bool IsChkVariant = false; bool IsChkVariant = false;
auto GetFunctionName = [&]() {
StringRef FunctionName = getASTContext().BuiltinInfo.getName(BuiltinID);
// Skim off the details of whichever builtin was called to produce a better
// diagnostic, as it's unlikely that the user wrote the __builtin
// explicitly.
if (IsChkVariant) {
FunctionName = FunctionName.drop_front(std::strlen("__builtin___"));
FunctionName = FunctionName.drop_back(std::strlen("_chk"));
} else if (FunctionName.startswith("__builtin_")) {
FunctionName = FunctionName.drop_front(std::strlen("__builtin_"));
}
return FunctionName;
};
switch (BuiltinID) { switch (BuiltinID) {
default: default:
return; return;
case Builtin::BI__builtin_strcpy: case Builtin::BI__builtin_strcpy:
case Builtin::BIstrcpy: { case Builtin::BIstrcpy: {
DiagID = diag::warn_fortify_strlen_overflow; DiagID = diag::warn_fortify_strlen_overflow;
SourceSize = ComputeStrLenArgument(1); SourceSize = ComputeStrLenArgument(1);
DestinationSize = ComputeSizeArgument(0); DestinationSize = ComputeSizeArgument(0);
break; break;
} }
case Builtin::BI__builtin___strcpy_chk: { case Builtin::BI__builtin___strcpy_chk: {
DiagID = diag::warn_fortify_strlen_overflow; DiagID = diag::warn_fortify_strlen_overflow;
SourceSize = ComputeStrLenArgument(1); SourceSize = ComputeStrLenArgument(1);
DestinationSize = ComputeExplicitObjectSizeArgument(2); DestinationSize = ComputeExplicitObjectSizeArgument(2);
IsChkVariant = true; IsChkVariant = true;
break; break;
} }
case Builtin::BIscanf:
case Builtin::BIfscanf:
case Builtin::BIsscanf: {
unsigned FormatIndex = 1;
unsigned DataIndex = 2;
if (BuiltinID == Builtin::BIscanf) {
FormatIndex = 0;
DataIndex = 1;
}
const auto *FormatExpr =
george.burgess.ivUnsubmitted
Done
ReplyInline Actions

nit: const auto if possible (and below)

george.burgess.iv: nit: const auto if possible (and below)
TheCall->getArg(FormatIndex)->IgnoreParenImpCasts();
const auto *Format = dyn_cast<StringLiteral>(FormatExpr);
if (!Format)
return;
if (!Format->isAscii() && !Format->isUTF8())
return;
auto Diagnose = [&](unsigned ArgIndex, unsigned DestSize,
unsigned SourceSize) {
DiagID = diag::warn_fortify_scanf_overflow;
unsigned Index = ArgIndex + DataIndex;
StringRef FunctionName = GetFunctionName();
DiagRuntimeBehavior(TheCall->getArg(Index)->getBeginLoc(), TheCall,
PDiag(DiagID) << FunctionName << (Index + 1)
<< DestSize << SourceSize);
};
StringRef FormatStrRef = Format->getString();
auto ShiftedComputeSizeArgument = [&](unsigned Index) {
george.burgess.ivUnsubmitted
Done
ReplyInline Actions

Please put this in a variable and pass that into H's constructor. function_ref doesn't own the function it points to, so any use of this at line >= 758 (e.g., line 768) is a use-after-free.

george.burgess.iv: Please put this in a variable and pass that into `H`'s constructor. `function_ref` doesn't own…
return ComputeSizeArgument(Index + DataIndex);
};
ScanfDiagnosticFormatHandler H(ShiftedComputeSizeArgument, Diagnose);
const char *FormatBytes = FormatStrRef.data();
const ConstantArrayType *T =
Context.getAsConstantArrayType(Format->getType());
assert(T && "String literal not of constant array type!");
size_t TypeSize = T->getSize().getZExtValue();
// In case there's a null byte somewhere.
size_t StrLen =
std::min(std::max(TypeSize, size_t(1)) - 1, FormatStrRef.find(0));
analyze_format_string::ParseScanfString(H, FormatBytes,
FormatBytes + StrLen, getLangOpts(),
Context.getTargetInfo());
// Unlike the other cases, in this one we have already issued the diagnostic
// here, so no need to continue (because unlike the other cases, here the
// diagnostic refers to the argument number).
return;
}
case Builtin::BIsprintf: case Builtin::BIsprintf:
case Builtin::BI__builtin___sprintf_chk: { case Builtin::BI__builtin___sprintf_chk: {
size_t FormatIndex = BuiltinID == Builtin::BIsprintf ? 1 : 3; size_t FormatIndex = BuiltinID == Builtin::BIsprintf ? 1 : 3;
auto *FormatExpr = TheCall->getArg(FormatIndex)->IgnoreParenImpCasts(); auto *FormatExpr = TheCall->getArg(FormatIndex)->IgnoreParenImpCasts();
if (auto *Format = dyn_cast<StringLiteral>(FormatExpr)) { if (auto *Format = dyn_cast<StringLiteral>(FormatExpr)) {
if (!Format->isAscii() && !Format->isUTF8()) if (!Format->isAscii() && !Format->isUTF8())
▲ Show 20 LinesShow All 94 Lines▼ Show 20 Lines case Builtin::BI__builtin_vsnprintf: {
break; break;
} }
} }
if (!SourceSize || !DestinationSize || if (!SourceSize || !DestinationSize ||
SourceSize.getValue().ule(DestinationSize.getValue())) SourceSize.getValue().ule(DestinationSize.getValue()))
return; return;
StringRef FunctionName = getASTContext().BuiltinInfo.getName(BuiltinID); StringRef FunctionName = GetFunctionName();
// Skim off the details of whichever builtin was called to produce a better
// diagnostic, as it's unlikely that the user wrote the __builtin explicitly.
if (IsChkVariant) {
FunctionName = FunctionName.drop_front(std::strlen("__builtin___"));
FunctionName = FunctionName.drop_back(std::strlen("_chk"));
} else if (FunctionName.startswith("__builtin_")) {
FunctionName = FunctionName.drop_front(std::strlen("__builtin_"));
}
SmallString<16> DestinationStr; SmallString<16> DestinationStr;
SmallString<16> SourceStr; SmallString<16> SourceStr;
DestinationSize->toString(DestinationStr, /*Radix=*/10); DestinationSize->toString(DestinationStr, /*Radix=*/10);
SourceSize->toString(SourceStr, /*Radix=*/10); SourceSize->toString(SourceStr, /*Radix=*/10);
DiagRuntimeBehavior(TheCall->getBeginLoc(), TheCall, DiagRuntimeBehavior(TheCall->getBeginLoc(), TheCall,
PDiag(DiagID) PDiag(DiagID)
<< FunctionName << DestinationStr << SourceStr); << FunctionName << DestinationStr << SourceStr);
▲ Show 20 LinesShow All 16,143 LinesShow Last 20 Lines

clang/test/Sema/warn-fortify-scanf.c

  • This file was added.
// RUN: %clang_cc1 -triple x86_64-apple-macosx10.14.0 %s -verify
typedef struct _FILE FILE;
extern int scanf(const char *format, ...);
extern int fscanf(FILE *f, const char *format, ...);
extern int sscanf(const char *input, const char *format, ...);
void call_scanf() {
char buf10[10];
char buf20[20];
char buf30[30];
scanf("%4s %5s %10s", buf20, buf30, buf10); // expected-warning {{'scanf' may overflow; destination buffer in argument 4 has size 10, but the corresponding specifier may require size 11}}
scanf("%4s %5s %11s", buf20, buf30, buf10); // expected-warning {{'scanf' may overflow; destination buffer in argument 4 has size 10, but the corresponding specifier may require size 12}}
scanf("%4s %5s %9s", buf20, buf30, buf10);
scanf("%20s %5s %9s", buf20, buf30, buf10); // expected-warning {{'scanf' may overflow; destination buffer in argument 2 has size 20, but the corresponding specifier may require size 21}}
scanf("%21s %5s %9s", buf20, buf30, buf10); // expected-warning {{'scanf' may overflow; destination buffer in argument 2 has size 20, but the corresponding specifier may require size 22}}
scanf("%19s %5s %9s", buf20, buf30, buf10);
scanf("%19s %29s %9s", buf20, buf30, buf10);
scanf("%*21s %*30s %10s", buf10); // expected-warning {{'scanf' may overflow; destination buffer in argument 2 has size 10, but the corresponding specifier may require size 11}}
scanf("%*21s %5s", buf10);
scanf("%10s %*30s", buf10); // expected-warning {{'scanf' may overflow; destination buffer in argument 2 has size 10, but the corresponding specifier may require size 11}}
scanf("%9s %*30s", buf10);
scanf("%4[a] %5[a] %10[a]", buf20, buf30, buf10); // expected-warning {{'scanf' may overflow; destination buffer in argument 4 has size 10, but the corresponding specifier may require size 11}}
scanf("%4[a] %5[a] %11[a]", buf20, buf30, buf10); // expected-warning {{'scanf' may overflow; destination buffer in argument 4 has size 10, but the corresponding specifier may require size 12}}
scanf("%4[a] %5[a] %9[a]", buf20, buf30, buf10);
scanf("%20[a] %5[a] %9[a]", buf20, buf30, buf10); // expected-warning {{'scanf' may overflow; destination buffer in argument 2 has size 20, but the corresponding specifier may require size 21}}
scanf("%21[a] %5[a] %9[a]", buf20, buf30, buf10); // expected-warning {{'scanf' may overflow; destination buffer in argument 2 has size 20, but the corresponding specifier may require size 22}}
scanf("%19[a] %5[a] %9[a]", buf20, buf30, buf10);
scanf("%19[a] %29[a] %9[a]", buf20, buf30, buf10);
scanf("%4c %5c %10c", buf20, buf30, buf10);
scanf("%4c %5c %11c", buf20, buf30, buf10); // expected-warning {{'scanf' may overflow; destination buffer in argument 4 has size 10, but the corresponding specifier may require size 11}}
scanf("%4c %5c %9c", buf20, buf30, buf10);
scanf("%20c %5c %9c", buf20, buf30, buf10);
scanf("%21c %5c %9c", buf20, buf30, buf10); // expected-warning {{'scanf' may overflow; destination buffer in argument 2 has size 20, but the corresponding specifier may require size 21}}
// Don't warn for other specifiers.
int x;
scanf("%12d", &x);
}
void call_sscanf() {
char buf10[10];
char buf20[20];
char buf30[30];
sscanf("a b c", "%4s %5s %10s", buf20, buf30, buf10); // expected-warning {{'sscanf' may overflow; destination buffer in argument 5 has size 10, but the corresponding specifier may require size 11}}
sscanf("a b c", "%4s %5s %11s", buf20, buf30, buf10); // expected-warning {{'sscanf' may overflow; destination buffer in argument 5 has size 10, but the corresponding specifier may require size 12}}
sscanf("a b c", "%4s %5s %9s", buf20, buf30, buf10);
sscanf("a b c", "%20s %5s %9s", buf20, buf30, buf10); // expected-warning {{'sscanf' may overflow; destination buffer in argument 3 has size 20, but the corresponding specifier may require size 21}}
sscanf("a b c", "%21s %5s %9s", buf20, buf30, buf10); // expected-warning {{'sscanf' may overflow; destination buffer in argument 3 has size 20, but the corresponding specifier may require size 22}}
sscanf("a b c", "%19s %5s %9s", buf20, buf30, buf10);
sscanf("a b c", "%19s %29s %9s", buf20, buf30, buf10);
}
void call_fscanf() {
char buf10[10];
char buf20[20];
char buf30[30];
fscanf(0, "%4s %5s %10s", buf20, buf30, buf10); // expected-warning {{'fscanf' may overflow; destination buffer in argument 5 has size 10, but the corresponding specifier may require size 11}}
fscanf(0, "%4s %5s %11s", buf20, buf30, buf10); // expected-warning {{'fscanf' may overflow; destination buffer in argument 5 has size 10, but the corresponding specifier may require size 12}}
fscanf(0, "%4s %5s %9s", buf20, buf30, buf10);
fscanf(0, "%20s %5s %9s", buf20, buf30, buf10); // expected-warning {{'fscanf' may overflow; destination buffer in argument 3 has size 20, but the corresponding specifier may require size 21}}
fscanf(0, "%21s %5s %9s", buf20, buf30, buf10); // expected-warning {{'fscanf' may overflow; destination buffer in argument 3 has size 20, but the corresponding specifier may require size 22}}
fscanf(0, "%19s %5s %9s", buf20, buf30, buf10);
fscanf(0, "%19s %29s %9s", buf20, buf30, buf10);
}