https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67729
Bug ID: 67729 Summary: scanf is missing buffer length sanity check ? Product: gcc Version: 6.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: c Assignee: unassigned at gcc dot gnu.org Reporter: dcb314 at hotmail dot com Target Milestone: --- gcc doesn't seem to sanity check the buffer length mentioned in a call to scanf with %s # include <stdio.h> extern void g( FILE * fp); void f( FILE * fp) { char buf[ 10]; while (fscanf( fp, "%10s", buf)) ; while (fscanf( fp, "%5s", buf)) ; while (fscanf( fp, "%20s", buf)) ; g( fp); } $ ~/gcc/results/bin/g++ -c -g -O2 -Wall -Wextra -pedantic sep9a.cc $ ~/gcc/results/bin/g++ -v gcc version 6.0.0 20150926 (experimental) (GCC) Here is cppcheck detecting the problem and suggesting a fix. $ ~/cppcheck/trunk/cppcheck sep9a.cc Checking sep9a.cc... [sep9a.cc:12]: (error) Width 10 given in format string (no. 1) is larger than destination buffer 'buf[10]', use %9s to prevent overflowing it. [sep9a.cc:16]: (error) Width 20 given in format string (no. 1) is larger than destination buffer 'buf[10]', use %9s to prevent overflowing it. $