invalidScanf: removed the checking for 'scanf crash with huge input data for old glibc'. new systems are not vulnerable to this bug anymore.

2015-08-14 08:03:46 +02:00 · 2015-08-14 08:03:46 +02:00 · e578988832
parent e9b1f1f0a6
commit e578988832
3 changed files with 7 additions and 47 deletions
--- a/lib/checkio.cpp
+++ b/lib/checkio.cpp
@ -367,12 +367,9 @@ void CheckIO::seekOnAppendedFileError(const Token *tok)
 //---------------------------------------------------------------------------
 void CheckIO::invalidScanf()
 {
-    const bool printWarning = _settings->isEnabled("warning");
-    const bool printPortability = _settings->isEnabled("portability");
-    if (!printWarning && !printPortability)
+    if (!_settings->isEnabled("warning"))
        return;

-    const bool windows = _settings->isWindowsPlatform();
    const SymbolDatabase * const symbolDatabase = _tokenizer->getSymbolDatabase();
    std::size_t functions = symbolDatabase->functionScopes.size();
    for (std::size_t j = 0; j < functions; ++j) {
@ -406,10 +403,8 @@ void CheckIO::invalidScanf()
                }

                else if (std::isalpha((unsigned char)formatstr[i]) || formatstr[i] == '[') {
-                    if (printWarning && (formatstr[i] == 's' || formatstr[i] == '[' || formatstr[i] == 'S' || (formatstr[i] == 'l' && formatstr[i+1] == 's')))  // #3490 - field width limits are only necessary for string input
-                        invalidScanfError(tok, false);
-                    else if (printPortability && formatstr[i] != 'n' && formatstr[i] != 'c' && !windows)
-                        invalidScanfError(tok, true); // Warn about libc bug in versions prior to 2.13-25
+                    if (formatstr[i] == 's' || formatstr[i] == '[' || formatstr[i] == 'S' || (formatstr[i] == 'l' && formatstr[i+1] == 's'))  // #3490 - field width limits are only necessary for string input
+                        invalidScanfError(tok);
                    format = false;
                }
            }
@ -417,28 +412,9 @@ void CheckIO::invalidScanf()
    }
 }

-void CheckIO::invalidScanfError(const Token *tok, bool portability)
+void CheckIO::invalidScanfError(const Token *tok)
 {
-    if (portability)
-        reportError(tok, Severity::portability,
-                    "invalidscanf_libc", "scanf without field width limits can crash with huge input data on some versions of libc.\n"
-                    "scanf without field width limits can crash with huge input data on libc versions older than 2.13-25. Add a field "
-                    "width specifier to fix this problem:\n"
-                    "    %i => %3i\n"
-                    "\n"
-                    "Sample program that can crash:\n"
-                    "\n"
-                    "#include <stdio.h>\n"
-                    "int main()\n"
-                    "{\n"
-                    "    int a;\n"
-                    "    scanf(\"%i\", &a);\n"
-                    "    return 0;\n"
-                    "}\n"
-                    "\n"
-                    "To make it crash:\n"
-                    "perl -e 'print \"5\"x2100000' | ./a.out");
-    else
+
        reportError(tok, Severity::warning,
                    "invalidscanf", "scanf without field width limits can crash with huge input data.\n"
                    "scanf without field width limits can crash with huge input data. Add a field width "
--- a/lib/checkio.h
+++ b/lib/checkio.h
@ -102,7 +102,7 @@ private:
    void writeReadOnlyFileError(const Token *tok);
    void useClosedFileError(const Token *tok);
    void seekOnAppendedFileError(const Token *tok);
-    void invalidScanfError(const Token *tok, bool portability);
+    void invalidScanfError(const Token *tok);
    void wrongPrintfScanfArgumentsError(const Token* tok,
                                        const std::string &function,
                                        unsigned int numFormat,
@ -133,8 +133,7 @@ private:
        c.writeReadOnlyFileError(0);
        c.useClosedFileError(0);
        c.seekOnAppendedFileError(0);
-        c.invalidScanfError(0, false);
-        c.invalidScanfError(0, true);
+        c.invalidScanfError(0);
        c.wrongPrintfScanfArgumentsError(0,"printf",3,2);
        c.invalidScanfArgTypeError_s(0, 1, "s", NULL);
        c.invalidScanfArgTypeError_int(0, 1, "d", NULL, false);
--- a/test/testio.cpp
+++ b/test/testio.cpp
@ -44,7 +44,6 @@ private:

        TEST_CASE(testScanf1); // Scanf without field limiters
        TEST_CASE(testScanf2);
-        TEST_CASE(testScanf3);
        TEST_CASE(testScanf4); // #ticket 2553

        TEST_CASE(testScanfArgument);
@ -702,20 +701,6 @@ private:
        ASSERT_EQUALS("[test.cpp:4]: (warning) scanf format string requires 0 parameters but 1 is given.\n", errout.str());
    }

-    void testScanf3() {
-        check("void foo() {\n"
-              "    scanf(\"%d\", &a);\n"
-              "    scanf(\"%n\", &a);\n" // No warning on %n, since it doesn't expect user input
-              "    scanf(\"%c\", &c);\n" // No warning on %c; it expects only one character
-              "}", false, true, Settings::Unspecified);
-        ASSERT_EQUALS("[test.cpp:2]: (portability) scanf without field width limits can crash with huge input data on some versions of libc.\n", errout.str());
-
-        check("void foo() {\n"
-              "    scanf(\"%d\", &a);\n"
-              "}", false, true, Settings::Win32A);
-        ASSERT_EQUALS("", errout.str());
-    }
-
    void testScanf4() { // ticket #2553
        check("void f()\n"
              "{\n"