unsafe-ret-snprintf-vsnprintf.yaml

rules:
  - id: raptor-unsafe-ret-snprintf-vsnprintf
    metadata:
      author: Marco Ivaldi <raptor@0xdeadbeef.info>
      references:
        - https://lwn.net/Articles/507319/
        - https://g.co/kgs/PCHQjJ
        - https://dustri.org/b/playing-with-weggli.html
      confidence: MEDIUM
      # NOTE: see also cpp.strings.snprintf-return-value-length.snprintf-return-value-length.
    message: >-
      The snprintf() and vsnprintf() functions return the total length of
      the string they tried to create. Therefore, this return value can be
      larger than the size of the destination buffer. If it is used
      unsafely, e.g. as an index to write to the destination buffer, memory
      corruption might occur.
    severity: WARNING
    languages:
      - c
      - cpp
    pattern-either:
      # =
      - pattern: $RET = snprintf(...)
      - pattern: $RET = vsnprintf(...)
      # +=
      - pattern: $RET += snprintf(...)
      - pattern: $RET += vsnprintf(...)
      # swprintf() and vswprintf() return a negative value if n or more 
      # widechars were requested to be written, thus behaving more safely