Alternate format string checking: warn of '%n' as being potentially insecure.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@94782 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/include/clang/Analysis/Analyses/PrintfFormatString.h b/include/clang/Analysis/Analyses/PrintfFormatString.h
index 151a06ebc07d951990fd072f6e538719671ddde0..488d208503eb8d82f81314ef456efb7db52f6445 100644 (file)
--- a/include/clang/Analysis/Analyses/PrintfFormatString.h
+++ b/include/clang/Analysis/Analyses/PrintfFormatString.h
@@ -65,7 +65,7 @@ public:
   ConversionSpecifier(const char *pos, Kind k)
     : Position(pos), kind(k) {}
 
-  const char *getConversionStart() const {
+  const char *getStart() const {
     return Position;
   }
   

diff --git a/lib/Sema/SemaChecking.cpp b/lib/Sema/SemaChecking.cpp
index f34d2388b4c173ff1a92764234eb2f0a60497d66..d856a2323a444382d63e752af334600256f17fee 100644 (file)
--- a/lib/Sema/SemaChecking.cpp
+++ b/lib/Sema/SemaChecking.cpp
@@ -1400,7 +1400,7 @@ CheckPrintfHandler::HandleFormatSpecifier(const analyze_printf::FormatSpecifier
   // Check for using an Objective-C specific conversion specifier
   // in a non-ObjC literal.
   if (!IsObjCLiteral && CS.isObjCArg()) {
-    SourceLocation Loc = getLocationOfByte(CS.getConversionStart());
+    SourceLocation Loc = getLocationOfByte(CS.getStart());
     S.Diag(Loc, diag::warn_printf_invalid_conversion)
       << llvm::StringRef(startSpecifier, specifierLen)
       << getFormatRange();
@@ -1408,6 +1408,16 @@ CheckPrintfHandler::HandleFormatSpecifier(const analyze_printf::FormatSpecifier
     // Continue checking the other format specifiers.
     return true;
   }
+  
+  // Are we using '%n'?  Issue a warning about this being
+  // a possible security issue.
+  if (CS.getKind() == ConversionSpecifier::OutIntPtrArg) {
+    S.Diag(getLocationOfByte(CS.getStart()), diag::warn_printf_write_back)
+      << getFormatRange();           
+    // Continue checking the other format specifiers.
+    return true;
+  }
+  
 
   return true;
 }