dkrupp · dkrupp · Oct 30, 2025 · Oct 30, 2025 · Oct 30, 2025 · Oct 30, 2025
diff --git a/clang-tools-extra/clang-tidy/bugprone/BugproneTidyModule.cpp b/clang-tools-extra/clang-tidy/bugprone/BugproneTidyModule.cpp
@@ -100,6 +100,7 @@
 #include "UnintendedCharOstreamOutputCheck.h"
 #include "UniquePtrArrayMismatchCheck.h"
 #include "UnsafeFunctionsCheck.h"
+#include "UnsafeFormatStringCheck.h"
 #include "UnusedLocalNonTrivialVariableCheck.h"
 #include "UnusedRaiiCheck.h"
 #include "UnusedReturnValueCheck.h"
@@ -287,6 +288,8 @@ class BugproneModule : public ClangTidyModule {
         "bugprone-crtp-constructor-accessibility");
     CheckFactories.registerCheck<UnsafeFunctionsCheck>(
         "bugprone-unsafe-functions");
+    CheckFactories.registerCheck<UnsafeFormatStringCheck>(
+        "bugprone-unsafe-format-string");
     CheckFactories.registerCheck<UnusedLocalNonTrivialVariableCheck>(
         "bugprone-unused-local-non-trivial-variable");
     CheckFactories.registerCheck<UnusedRaiiCheck>("bugprone-unused-raii");

diff --git a/clang-tools-extra/clang-tidy/bugprone/CMakeLists.txt b/clang-tools-extra/clang-tidy/bugprone/CMakeLists.txt
@@ -101,6 +101,7 @@ add_clang_library(clangTidyBugproneModule STATIC
   UnhandledSelfAssignmentCheck.cpp
   UniquePtrArrayMismatchCheck.cpp
   UnsafeFunctionsCheck.cpp
+  UnsafeFormatStringCheck.cpp
   UnusedLocalNonTrivialVariableCheck.cpp
   UnusedRaiiCheck.cpp
   UnusedReturnValueCheck.cpp

diff --git a/clang-tools-extra/clang-tidy/bugprone/UnsafeFormatStringCheck.cpp b/clang-tools-extra/clang-tidy/bugprone/UnsafeFormatStringCheck.cpp
@@ -0,0 +1,165 @@
+//===--- UnsafeFormatStringCheck.cpp - clang-tidy -----------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#include "UnsafeFormatStringCheck.h"
+#include "clang/ASTMatchers/ASTMatchFinder.h"
+#include "clang/Lex/Lexer.h"
+#include "llvm/Support/ConvertUTF.h"
+#include "llvm/Support/raw_ostream.h"
+
+using namespace clang::ast_matchers;
+
+namespace clang::tidy::bugprone {
+
+UnsafeFormatStringCheck::UnsafeFormatStringCheck(StringRef Name,
+                                                 ClangTidyContext *Context)
+    : ClangTidyCheck(Name, Context) {}
+
+void UnsafeFormatStringCheck::registerMatchers(MatchFinder *Finder) {
+  // Match vulnerable format string functions
+  auto VulnerableFunctions = hasAnyName(
+      "sprintf", "vsprintf", "scanf", "fscanf", "sscanf", "vscanf", "vfscanf",
+      "vsscanf", "wscanf", "fwscanf", "swscanf", "vwscanf", "vfwscanf", "vswscanf");
+
+  Finder->addMatcher(
+      callExpr(callee(functionDecl(VulnerableFunctions)),
+               anyOf(hasArgument(0, stringLiteral().bind("format")),
+                     hasArgument(1, stringLiteral().bind("format"))))
+          .bind("call"),
+      this);
+}
+
+void UnsafeFormatStringCheck::check(const MatchFinder::MatchResult &Result) {
+  const auto *Call = Result.Nodes.getNodeAs<CallExpr>("call");
+  const auto *Format = Result.Nodes.getNodeAs<StringLiteral>("format");
+
+  if (!Call || !Format)
+    return;
+
+  std::string FormatString;
+  if (Format->getCharByteWidth() == 1) {
+    FormatString = Format->getString().str();
+  } else if (Format->getCharByteWidth() == 2) {
+    // Handle wide strings by converting to narrow string for analysis
+    convertUTF16ToUTF8String(Format->getBytes(), FormatString);
+  } else if (Format->getCharByteWidth() == 4) {
+    // Handle wide strings by converting to narrow string for analysis
+    convertUTF32ToUTF8String(Format->getBytes(), FormatString);
+  }
+
+  const auto *Callee = cast<FunctionDecl>(Call->getCalleeDecl());
+  StringRef FunctionName = Callee->getName();
+
+  bool IsScanfFamily = FunctionName.contains("scanf");
+
+  if (!hasUnboundedStringSpecifier(FormatString, IsScanfFamily))
+    return;
+
+  auto Diag = diag(Call->getBeginLoc(),
+                   IsScanfFamily 
+                     ? "format specifier '%%s' without field width may cause buffer overflow; consider using '%%Ns' where N limits input length"
+                     : "format specifier '%%s' without precision may cause buffer overflow; consider using '%%.Ns' where N limits output length")
+              << Call->getSourceRange();
+
+  std::string SafeAlternative = getSafeAlternative(FunctionName);
+  if (!SafeAlternative.empty()) {
+    Diag << FixItHint::CreateInsertion(Call->getBeginLoc(),
+                                       "/* Consider using " + SafeAlternative + " */ ");
+  }
+}
+
+
+bool UnsafeFormatStringCheck::hasUnboundedStringSpecifier(StringRef FormatString, bool IsScanfFamily) {
+  size_t Pos = 0;
+  while ((Pos = FormatString.find('%', Pos)) != StringRef::npos) {
+    if (Pos + 1 >= FormatString.size())
+      break;
+
+    // Skip %%
+    if (FormatString[Pos + 1] == '%') {
+      Pos += 2;
+      continue;
+    }
+
+    size_t SpecPos = Pos + 1;
+
+    // Skip flags
+    while (SpecPos < FormatString.size() &&
+           (FormatString[SpecPos] == '-' || FormatString[SpecPos] == '+' ||
+            FormatString[SpecPos] == ' ' || FormatString[SpecPos] == '#' ||
+            FormatString[SpecPos] == '0')) {
+      SpecPos++;
+    }
+
+    // Check for field width
+    bool HasFieldWidth = false;
+    if (SpecPos < FormatString.size() && FormatString[SpecPos] == '*') {
+      HasFieldWidth = true;
+      SpecPos++;
+    } else {
+      while (SpecPos < FormatString.size() && isdigit(FormatString[SpecPos])) {
+        HasFieldWidth = true;
+        SpecPos++;
+      }
+    }
+
+    // Check for precision
+    bool HasPrecision = false;
+    if (SpecPos < FormatString.size() && FormatString[SpecPos] == '.') {
+      SpecPos++;
+      if (SpecPos < FormatString.size() && FormatString[SpecPos] == '*') {
+        HasPrecision = true;
+        SpecPos++;
+      } else {
+        while (SpecPos < FormatString.size() && isdigit(FormatString[SpecPos])) {
+          HasPrecision = true;
+          SpecPos++;
+        }
+      }
+    }
+
+    // Skip length modifiers
+    while (SpecPos < FormatString.size() &&
+           (FormatString[SpecPos] == 'h' || FormatString[SpecPos] == 'l' ||
+            FormatString[SpecPos] == 'L' || FormatString[SpecPos] == 'z' ||
+            FormatString[SpecPos] == 'j' || FormatString[SpecPos] == 't')) {
+      SpecPos++;
+    }
+
+    // Check for 's' specifier
+    if (SpecPos < FormatString.size() && FormatString[SpecPos] == 's') {
+      if (IsScanfFamily) {
+        // For scanf family, field width provides protection
+        if (!HasFieldWidth) {
+          return true;
+        }
+      } else {
+        // For sprintf family, only precision provides protection
+        if (!HasPrecision) {
+          return true;
+        }
+      }
+    }
+
+    Pos = SpecPos + 1;
+  }
+
+  return false;
+}
+
+std::string UnsafeFormatStringCheck::getSafeAlternative(StringRef FunctionName) {
+  if (FunctionName == "sprintf")
+    return "snprintf";
+  if (FunctionName == "vsprintf")
+    return "vsnprintf";
+  if (FunctionName.starts_with("scanf") || FunctionName.ends_with("scanf"))
+    return "add field width to %s specifiers";
+  return "";
+}
+
+} // namespace clang::tidy::bugprone
diff --git a/clang-tools-extra/clang-tidy/bugprone/UnsafeFormatStringCheck.h b/clang-tools-extra/clang-tidy/bugprone/UnsafeFormatStringCheck.h
@@ -0,0 +1,34 @@
+//===--- UnsafeFormatStringCheck.h - clang-tidy ---------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_BUGPRONE_UNSAFEFORMATSTRINGCHECK_H
+#define LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_BUGPRONE_UNSAFEFORMATSTRINGCHECK_H
+
+#include "../ClangTidyCheck.h"
+
+namespace clang::tidy::bugprone {
+
+/// Detects usage of vulnerable format string functions with unbounded %s
+/// specifiers that can cause buffer overflows.
+///
+/// For the user-facing documentation see:
+/// http://clang.llvm.org/extra/clang-tidy/checks/bugprone/unsafe-format-string.html
+class UnsafeFormatStringCheck : public ClangTidyCheck {
+public:
+  UnsafeFormatStringCheck(StringRef Name, ClangTidyContext *Context);
+  void registerMatchers(ast_matchers::MatchFinder *Finder) override;
+  void check(const ast_matchers::MatchFinder::MatchResult &Result) override;
+
+private:
+  bool hasUnboundedStringSpecifier(StringRef FormatString, bool IsScanfFamily);
+  std::string getSafeAlternative(StringRef FunctionName);
+};
+
+} // namespace clang::tidy::bugprone
+
+#endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_BUGPRONE_UNSAFEFORMATSTRINGCHECK_H
diff --git a/clang-tools-extra/docs/clang-tidy/checks/bugprone/unsafe-format-string.rst b/clang-tools-extra/docs/clang-tidy/checks/bugprone/unsafe-format-string.rst
@@ -0,0 +1,73 @@
+.. title:: clang-tidy - bugprone-unsafe-format-string
+
+bugprone-unsafe-format-string
+==============================
+
+Detects usage of vulnerable format string functions with unbounded ``%s``
+specifiers that can cause buffer overflows.
+
+The check identifies calls to format string functions like ``sprintf``, ``scanf``,
+and their variants that use ``%s`` format specifiers without proper limits.
+This can lead to buffer overflow vulnerabilities when the input string is longer
+than the destination buffer.
+
+Format Specifier Behavior
+--------------------------
+
+The check distinguishes between different function families:
+
+**scanf family functions**: Field width limits input length
+  - ``%s`` - unsafe (no limit)
+  - ``%99s`` - safe (reads at most 99 characters)
+
+**sprintf family functions**: Precision limits output length
+  - ``%s`` - unsafe (no limit)
+  - ``%99s`` - unsafe (minimum width, no maximum)
+  - ``%.99s`` - safe (outputs at most 99 characters)
+  - ``%10.99s`` - safe (minimum 10 chars, maximum 99 chars)
+
+Examples
+--------
+
+.. code-block:: c
+
+  char buffer[100];
+  const char* input = "user input";
+
+  // Unsafe sprintf usage
+  sprintf(buffer, "%s", input);      // No limit
+  sprintf(buffer, "%99s", input);    // Field width is minimum, not maximum
+
+  // Safe sprintf usage
+  sprintf(buffer, "%.99s", input);   // Precision limits to 99 chars
+  sprintf(buffer, "%10.99s", input); // Min 10, max 99 chars
+
+  // Unsafe scanf usage
+  scanf("%s", buffer);               // No limit
+
+  // Safe scanf usage
+  scanf("%99s", buffer);             // Field width limits to 99 chars
+
+  // Safe alternative: use safer functions
+  snprintf(buffer, sizeof(buffer), "%s", input);
+
+Checked Functions
+-----------------
+
+The check detects unsafe format strings in these functions:
+
+**sprintf family** (precision ``.N`` provides safety):
+* ``sprintf``, ``vsprintf``
+
+**scanf family** (field width ``N`` provides safety):
+* ``scanf``, ``fscanf``, ``sscanf``
+* ``vscanf``, ``vfscanf``, ``vsscanf``
+* ``wscanf``, ``fwscanf``, ``swscanf``
+* ``vwscanf``, ``vfwscanf``, ``vswscanf``
+
+Recommendations
+---------------
+
+* For ``sprintf`` family: Use precision specifiers (``%.Ns``) or ``snprintf``
+* For ``scanf`` family: Use field width specifiers (``%Ns``)
+* Consider using safer string handling functions when possible