Skip to content

Bugprone unsafe format string #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 16 commits into
base: main
Choose a base branch
from
Open

Bugprone unsafe format string #3

wants to merge 16 commits into from

Conversation

@dkrupp
Copy link
Owner

@dkrupp dkrupp commented Nov 7, 2025

Add a new bugprone-unsafe-format-string clang-tidy checker, which warns for scanf and sprintf like functions invocations with a format string literal with unbounded %s specifier that can cause buffer overflow.

dkrupp added 14 commits October 30, 2025 13:39
@dkrupp
Initial commit of bugprone-unsafe-format-string check
bad2fdc
@dkrupp
remove MaxFieldWidth configuration option as it is not needed
e752e54
@dkrupp
Remove SuggestAlternatives configuration option as it is not needed
688c582
@dkrupp
Changing the test from C++ to C
9947b3c
@dkrupp
Add wide character handling in the format string
a5f6717
@dkrupp
Fixing the test cases to use string literals in the va_list tests
dd5eaca
@dkrupp
Handling wchar_t properly. Solving it manually (Q could not do it).
73a64ff
@dkrupp
Adding checker documentation
3902f9a
@dkrupp
adding negative test cases
a3b3546
@dkrupp
handle sprintf and scanf differently
e6199a5
@dkrupp
Adding test cases with dynamic field width
fc91d74
@dkrupp
Marking those tests negatve which expect a warning
69c6a13
@dkrupp
Changing back positive/negative test nomenclature. Fixing up some tes…
7540250 
…t cases
@dkrupp
no need for the spec md file
a6c6ad7
NagyDonat
NagyDonat reviewed Nov 10, 2025
View reviewed changes
Copy link

@NagyDonat NagyDonat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code looks reasonable overall, but I have a few suggestions in inline comments. I didn't inspect the test files, but based on a brief look they are probably fine as well.

clang-tools-extra/clang-tidy/bugprone/UnsafeFormatStringCheck.cpp
Comment on lines +31 to +32
anyOf(hasArgument(0, stringLiteral().bind("format")),
hasArgument(1, stringLiteral().bind("format"))))
Copy link

@NagyDonat NagyDonat Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This logic is a bit hacky -- it would be more elegant if the checker knew that e.g. the format string of sprintf is always at argument index 1, while the format string of scanf is always at argument index 0. However, code that would confuse this check is wildly incorrect, won't occur in the wild and would produce compiler errors (or at least severe warnings), so this is not a serious issue.

@dkrupp
Fixing review comments
77e2d97 
-Only matching global functions in c and std namespace in c++
-Adding C++ namespace tests
-Removing fixit hints
-Removing standard header includes from the test files and adding function/type definitions
-Other small fixes
dkrupp
dkrupp commented Nov 11, 2025
View reviewed changes
Copy link
Owner Author

@dkrupp dkrupp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the review. Your remarks are fixed.

@dkrupp dkrupp requested a review from NagyDonat November 12, 2025 12:58
NagyDonat
NagyDonat reviewed Nov 12, 2025
View reviewed changes
Copy link

@NagyDonat NagyDonat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM if you switch to using system header simulators (as far as it's possible).

clang-tools-extra/test/clang-tidy/checkers/bugprone/unsafe-format-string.c Outdated
Comment on lines 5 to 31
#include <stdarg.h>

typedef __SIZE_TYPE__ size_t;
typedef __WCHAR_TYPE__ wchar_t;
typedef void *FILE;
extern FILE *stdin;
extern FILE *stderr;

extern int fscanf ( FILE * stream, const char * format, ... );
extern int scanf ( const char * format, ... );
extern int sscanf ( const char * s, const char * format, ...);
extern int vscanf( const char *restrict format, va_list vlist );
extern int vfscanf ( FILE * stream, const char * format, va_list arg );

extern int vsscanf( const char *restrict buffer, const char *restrict format, va_list vlist );
extern int vwscanf( const wchar_t* format, va_list vlist );
extern int vfwscanf( FILE* stream, const wchar_t* format, va_list vlist );
extern int vswscanf( const wchar_t* buffer, const wchar_t* format, va_list vlist );
extern int swscanf (const wchar_t* ws, const wchar_t* format, ...);
extern int wscanf( const wchar_t *format, ... );
extern int fwscanf( FILE *stream, const wchar_t *format, ... );

extern int printf( const char* format, ... );
extern int sprintf( char* buffer, const char* format, ... );
extern int vsprintf (char * s, const char * format, va_list arg );
extern int vsnprintf (char * s, size_t n, const char * format, va_list arg );
extern int fprintf( FILE* stream, const char* format, ... );
extern int snprintf( char* restrict buffer, size_t bufsz,
const char* restrict format, ... );
Copy link

@NagyDonat NagyDonat Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use a system header simulator file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@NagyDonat NagyDonat NagyDonat left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dkrupp @NagyDonat