ASAN: invalid handling of `scanf("%mc")` format option

[nalajcie]

Test case with false positive:

#include <stdio.h>
#include <stdlib.h>

int main(int argc, char **argv)
{
    const char *buff = "foo";
    char *res = NULL;

    // ASAN fails inside scanf
    sscanf(buff, "%mc", &res);

    free(res);
    return 0;
}

The above code fails under glibc-2.35 (but the responsible code wasn't changed in the last 9 years).

Responsible code: https://github.com/llvm/llvm-project/blob/main/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors_format.inc#L347

IMHO it's invalid to assume the NULL character would be appended in case of %[precision]mc so strlen can't be used here (and +1 is strictly invalid). POSIX-2008:TC2 standard is kind of ambiguous about that, but I've found discussion about changes going into TC3 (when it would be published) which explicitly states that NULL character would be appended in s case only: https://www.austingroupbugs.net/view.php?id=1173

Other standard libraries aside of glibc were not inspected.

[MaskRay]

Thanks for the detailed report. The write range for %mC and %mS are incorrect as well.

Patch: https://reviews.llvm.org/D158485

[MaskRay]

/cherry-pick beeb37a

[llvmbot]

/branch llvm/llvm-project-release-prs/issue61768

[llvmbot]

/pull-request llvm/llvm-project-release-prs#658