Buffer overflow from incorrect string format specifier

String format specifier causes buffer argument of standard library functions to overflow

Description

This defect occurs when the format specifier argument for functions such as sscanf leads to an overflow or underflow in the memory buffer argument.

Risk

If the format specifier specifies a precision that is greater than the memory buffer size, an overflow occurs. Overflows can cause unexpected behavior such as memory corruption.

Fix

Use a format specifier that is compatible with the memory buffer size.

Examples

expand all

Memory Buffer Overflow

#include <stdio.h>

void func (char *str[]) {
    char buf[32];
    sscanf(str[1], "%33c", buf);
}

In this example, buf can contain 32 char elements. Therefore, the format specifier %33c causes a buffer overflow.

Correction — Use Smaller Precision in Format Specifier

One possible correction is to read a smaller number of elements into the buffer.

#include <stdio.h>

void func (char *str[]) {
    char buf[32];
    sscanf(str[1], "%32c", buf);
}

Result Information

Group: Static memory

Language: C | C++

Default: On for handwritten code, off for generated code

Command-Line Syntax: STR_FORMAT_BUFFER_OVERFLOW

Impact: High

Version History

Introduced in R2015b