I'm creating a .dll
in C using Visual Studio 2019.
I am using _In_bytecount_
to help prevent buffer overflows where I can.
pmReportCrash(
_In_bytecount_(_wndTitleLength * 2) LPCWCH _wndTitle,
_In_ size_t _wndTitleLength,
_In_bytecount_(_wndMSGLength * 2) LPCWCH _wndMSG,
_In_ size_t _wndMSGLength,
_In_bytecount_(_wndDescLength * 2) LPCWCH _wndDesc,
_In_ size_t _wndDescLength,
_In_bytecount_(_wndRestartCommandLength * 2) LPCWCH _wndRestartCommand,
_In_ size_t _wndRestartCommandLength,
_In_bytecount_(_wndIconDirLength * 2) LPCWCH _wndIconDir,
_In_ size_t _wndIconDirLength,
_In_bytecount_(_wndImageDirLength * 2) LPCWCH _wndImageDir,
_In_ size_t _wndImageDirLength
)
But when I took my wide characters and passed them to swprintf_s
as parameters:
(swprintf_s(wndMSGParam, _wndMSGLength 5, L"/m \"%s\"", _wndMSG);
)
It started saying this:
Warning C26052
Potentially unconstrained access using expression '(LPCWCH)_wndMSG' Buffer _wndMSG is passed to function swprintf_s as unannotated parameter 4 None of the other parameters seem to be constrained by the buffer length
Buffer _wndMSG is a parameter to this function declared on line 13 Buffer is of length offset(_wndMSG)
13 2*_wndMSGLength
13 bytes [from annotation SAL_readableTo(byteCount(_wndMSGLength * 2)) at c:\users%userdir%\source\repos\api.postman.crashreporter\api.postman.crashreporter\postman.crash reporter.h(16)]Values of variables: Pointer _wndMSG is at offset 0 bytes from the start of the buffer Pointer result.malloc is at offset offset(result.malloc)
53a bytes from the start of result.malloc'53 _wndMSGLength = _wndMSGLength
13 wndMSGParam = result.mallocwhere offset(_wndMSG)
13 == 0 _wndMSGLength
13 >= 1 API.Postman.CrashReporter C:\Users%userdir%\source\repos\API.Postman.CrashReporter\API.Postman.CrashReporter\PostMan.Crash Reporter.c 54
Is this warning possible to fix or do I need to suppress it if I want to get rid of it?
CodePudding user response:
Here are some ideas:
- The arguments do not seem to be null terminated, so you should use
%.*s
to specify a maximum length to read from_wndMSG
. - The size argument to
swprintf_s
should include space for the null terminator. - The C Standard specifies that the argument type for
%s
should be a pointer tochar
, notwchar_t
. Unless Microsoft has a different convention, you should use%ls
for anLPCWCH
argument.
Try using this:
swprintf_s(wndMSGParam, _wndMSGLength 6, L"/m \"%.*ls\"",
(int)_wndMSGLength, _wndMSG);
Notes:
%ls
expects a pointer towchar_t
, a wide character string, which is copied to the destination array unmodified.the
.*
in%.*ls
specifies that a maximum number of characters to copy from the string argument is passed as anint
argument before the string pointer. If this maximum number is a constant (eg: 10), it can be written%.10ls
without an extra argument. Note that this precision field is different from the width field that can be written just after the%
, as a decimal number or a*
, and specifies the number of characters to pad the output to with spaces. For example:wchar_t wbuf[20]; swprintf_s(wbuf, sizeof wbuf, L"|.5ls|", L"1234567");
produces the string
| 12345|
inwbuf
.