C++: clarify ScanfOutput.getMinimumGuardConstant()

2025-12-24 04:36:35 +01:00 · 2022-08-25 15:07:39 +02:00
parent e39229d59e
commit a6a30b3725
1 changed files with 5 additions and 4 deletions
--- a/cpp/ql/src/Critical/MissingCheckScanf.ql
+++ b/cpp/ql/src/Critical/MissingCheckScanf.ql
@@ -33,15 +33,16 @@ class ScanfOutput extends Expr {
  ScanfFunctionCall getCall() { result = call }

  /**
-   * Any subsequent use of this argument should be surrounded by a
-   * check ensuring that the `scanf`-like function has returned a value
-   * equal to at least `getMinimumGuardConstant()`.
+   * Returns the smallest possible `scanf` return value that would indicate
+   * success in writing this output argument.
   */
  int getMinimumGuardConstant() {
    result =
      varargIndex + 1 -
        count(ScanfFormatLiteral f, int n |
-          n <= varargIndex and f.getUse() = call and f.parseConvSpec(n, _, _, _, "n")
+          // Special case: %n writes to an argument without reading any input.
+          // It does not increase the count returned by `scanf`.
+          n <= varargIndex and f.getUse() = call and f.getConversionChar(n) = "n"
        )
  }