I’ve coded up some support in clang to flag warnings for non-constant format strings used in calls to printf-like functions (all the functions listed in “man fprintf”). Non-constant format strings are a source of many security exploits in C/C++ programs, and I believe are currently detected by gcc using the flag -Wformat-nonliteral.

I’ve attached a patch that adds this support. I’ve also included two new files not under version control, including one file for regression testing.

I plan on adding additional checking for format strings.

Patch affects:

include/clang/Basic/DiagnosticKinds.def
Sema/SemaExpr.cpp
Sema/Sema.cpp
Sema/Sema.h

New files:

in Sema/: SemaChecking.cpp
in test/: format-strings.c

format_string.patch (4.75 KB)

SemaChecking.cpp (3.58 KB)

format-strings.c (982 Bytes)

I've coded up some support in clang to flag warnings for non-constant format strings used in calls to printf-like functions (all the functions listed in "man fprintf"). Non-constant format strings are a source of many security exploits in C/C++ programs, and I believe are currently detected by gcc using the flag -Wformat-nonliteral.

I've attached a patch that adds this support. I've also included two new files not under version control, including one file for regression testing.

Looks great, applied!

Thanks Ted,

-Chris