From ab09043a1985bfb9f1e4393a29a9d83326d306fe Mon Sep 17 00:00:00 2001 From: serge-sans-paille Date: Fri, 2 Sep 2022 13:36:08 +0200 Subject: [PATCH] [clang] Fix crash when parsing scanf format string with missing arguments When parsing a format string with less argument than specified, one should check argument access because there may be no such argument. This fixes #57517 Differential Revision: https://reviews.llvm.org/D133197 --- clang/lib/Sema/SemaChecking.cpp | 3 +++ clang/test/Sema/format-strings-scanf.c | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/clang/lib/Sema/SemaChecking.cpp b/clang/lib/Sema/SemaChecking.cpp index 897ab70..afe99ad 100644 --- a/clang/lib/Sema/SemaChecking.cpp +++ b/clang/lib/Sema/SemaChecking.cpp @@ -1066,6 +1066,9 @@ void Sema::checkFortifiedBuiltinMemoryFunction(FunctionDecl *FD, return llvm::None; unsigned NewIndex = *IndexOptional; + if (NewIndex >= TheCall->getNumArgs()) + return llvm::None; + const Expr *ObjArg = TheCall->getArg(NewIndex); uint64_t Result; if (!ObjArg->tryEvaluateObjectSize(Result, getASTContext(), BOSType)) diff --git a/clang/test/Sema/format-strings-scanf.c b/clang/test/Sema/format-strings-scanf.c index aebb68c..eb5b8ec 100644 --- a/clang/test/Sema/format-strings-scanf.c +++ b/clang/test/Sema/format-strings-scanf.c @@ -69,6 +69,11 @@ void bad_length_modifiers(char *s, void *p, wchar_t *ws, long double *ld) { scanf("%#.2Lf", ld); // expected-warning{{invalid conversion specifier '#'}} } +void missing_argument_with_length_modifier() { + char buf[30]; + scanf("%s:%900s", buf); // expected-warning{{more '%' conversions than data arguments}} +} + // Test that the scanf call site is where the warning is attached. If the // format string is somewhere else, point to it in a note. void pr9751(void) { -- 2.7.4