Handle unbalanced double-quotes in sprintf

- Handle unbalanced double-quotes. This is a compilation error, but we can handle it more gracefully.
2014-07-12 12:25:59 -04:00 · 2014-07-12 12:25:59 -04:00 · 202bf127dc
parent 40982f89ba
commit 202bf127dc
1 changed files with 9 additions and 1 deletions
--- a/10
+++ b/10
@ -559,7 +559,15 @@ p_dangerous_sprintf_format = re.compile(r'%-?([0-9]+|\*)?s')
 # sprintf has both buffer and format vulnerabilities.
 def c_sprintf(hit):
  source_position = hit.source_position
-  if source_position <= len(hit.parameters)-1:
+  if hit.parameters is None:
+    # Serious parameter problem, e.g., none, or a string constant that
+    # never finishes.
+    hit.warning = "format string parameter problem"
+    hit.suggestion = "Check if required parameters present and quotes close."
+    hit.level = 4
+    hit.category = "format"
+    hit.url = ""
+  elif source_position <= len(hit.parameters)-1:
    source=hit.parameters[source_position]
    if c_singleton_string(source):
      hit.level = 1