[Bug c/67729] New: scanf is missing buffer length sanity check ?
dcb314 at hotmail dot com
gcc-bugzilla@gcc.gnu.org
Sun Sep 27 09:02:00 GMT 2015
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67729
Bug ID: 67729
Summary: scanf is missing buffer length sanity check ?
Product: gcc
Version: 6.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: dcb314 at hotmail dot com
Target Milestone: ---
gcc doesn't seem to sanity check the buffer length
mentioned in a call to scanf with %s
# include <stdio.h>
extern void g( FILE * fp);
void f( FILE * fp)
{
char buf[ 10];
while (fscanf( fp, "%10s", buf))
;
while (fscanf( fp, "%5s", buf))
;
while (fscanf( fp, "%20s", buf))
;
g( fp);
}
$ ~/gcc/results/bin/g++ -c -g -O2 -Wall -Wextra -pedantic sep9a.cc
$ ~/gcc/results/bin/g++ -v
gcc version 6.0.0 20150926 (experimental) (GCC)
Here is cppcheck detecting the problem and suggesting a fix.
$ ~/cppcheck/trunk/cppcheck sep9a.cc
Checking sep9a.cc...
[sep9a.cc:12]: (error) Width 10 given in format string (no. 1) is larger than
destination buffer 'buf[10]', use %9s to prevent overflowing it.
[sep9a.cc:16]: (error) Width 20 given in format string (no. 1) is larger than
destination buffer 'buf[10]', use %9s to prevent overflowing it.
$
More information about the Gcc-bugs
mailing list