Alternate format string checking: warn of '%n' as being potentially insecure.

llvm-svn: 94782

1 files changed, 11 insertions, 1 deletions

diff --git a/clang/lib/Sema/SemaChecking.cpp b/clang/lib/Sema/SemaChecking.cpp
index f34d2388b4c..d856a2323a4 100644
--- a/clang/lib/Sema/SemaChecking.cpp
+++ b/clang/lib/Sema/SemaChecking.cpp
@@ -1400,7 +1400,7 @@ CheckPrintfHandler::HandleFormatSpecifier(const analyze_printf::FormatSpecifier
   // Check for using an Objective-C specific conversion specifier
   // in a non-ObjC literal.
   if (!IsObjCLiteral && CS.isObjCArg()) {
-    SourceLocation Loc = getLocationOfByte(CS.getConversionStart());
+    SourceLocation Loc = getLocationOfByte(CS.getStart());
     S.Diag(Loc, diag::warn_printf_invalid_conversion)
       << llvm::StringRef(startSpecifier, specifierLen)
       << getFormatRange();
@@ -1408,6 +1408,16 @@ CheckPrintfHandler::HandleFormatSpecifier(const analyze_printf::FormatSpecifier
     // Continue checking the other format specifiers.
     return true;
   }
+  
+  // Are we using '%n'?  Issue a warning about this being
+  // a possible security issue.
+  if (CS.getKind() == ConversionSpecifier::OutIntPtrArg) {
+    S.Diag(getLocationOfByte(CS.getStart()), diag::warn_printf_write_back)
+      << getFormatRange();           
+    // Continue checking the other format specifiers.
+    return true;
+  }
+  
 
   return true;
 }