C++: Add a bunch of vararg related formatting functions that takes a 'va_list' parameter.

MathiasVP · MathiasVP · commit 2644d03d2b86 · 2026-05-21T16:52:46.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll
@@ -69,6 +69,38 @@ private class Fprintf extends FormattingFunction, NonCppThrowingFunction instanc
   override int getOutputParameterIndex(boolean isStream) { result = 0 and isStream = true }
 }
 
+/**
+ * The standard functions `vprintf`, `vwprintf` and their Microsoft variants.
+ */
+private class Vprintf extends VaListFormattingFunction, NonCppThrowingFunction instanceof TopLevelFunction
+{
+  Vprintf() {
+    (
+      this.hasGlobalOrStdOrBslName(["vprintf", "vwprintf"]) or
+      this.hasGlobalName(["_vprintf_l", "_vwprintf_l"])
+    ) and
+    not exists(this.getDefinition().getFile().getRelativePath())
+  }
+
+  override predicate isOutputGlobal() { any() }
+}
+
+/**
+ * The standard functions `vfprintf`, `vfwprintf` and their Microsoft variants.
+ */
+private class Vfprintf extends VaListFormattingFunction, NonCppThrowingFunction instanceof TopLevelFunction
+{
+  Vfprintf() {
+    (
+      this.hasGlobalOrStdOrBslName(["vfprintf", "vfwprintf"]) or
+      this.hasGlobalName(["_vfprintf_l", "_vfwprintf_l"])
+    ) and
+    not exists(this.getDefinition().getFile().getRelativePath())
+  }
+
+  override int getOutputParameterIndex(boolean isStream) { result = 0 and isStream = true }
+}
+
 /**
  * The standard function `sprintf` and its Microsoft and glib variants.
  */
@@ -112,6 +144,25 @@ private class Sprintf extends FormattingFunction, NonCppThrowingFunction instanc
   }
 }
 
+/**
+ * The standard function `vsprintf` and its Microsoft variants.
+ */
+private class Vsprintf extends VaListFormattingFunction, NonCppThrowingFunction instanceof TopLevelFunction
+{
+  Vsprintf() {
+    (
+      this.hasGlobalOrStdOrBslName("vsprintf") or // vsprintf(dst, format, va_list)
+      this.hasGlobalName([
+          "_vsprintf_l", // _vsprintf_l(dst, format, locale, va_list)
+          "__vswprintf_l" // __vswprintf_l(dst, format, locale, va_list)
+        ])
+    ) and
+    not exists(this.getDefinition().getFile().getRelativePath())
+  }
+
+  override int getOutputParameterIndex(boolean isStream) { result = 0 and isStream = false }
+}
+
 /**
  * Implements `Snprintf`.
  */
@@ -185,6 +236,94 @@ private class SnprintfImpl extends Snprintf, AliasFunction, SideEffectFunction,
   }
 }
 
+/**
+ * The standard function `vsnprintf`, and its Microsoft variants.
+ */
+private class VsnprintfImpl extends Snprintf, VaListFormattingFunction, AliasFunction,
+  SideEffectFunction, NonCppThrowingFunction instanceof TopLevelFunction
+{
+  VsnprintfImpl() {
+    (
+      this.hasGlobalOrStdOrBslName("vsnprintf") // vsnprintf(dst, count, format, va_list)
+      or
+      this.hasGlobalName([
+          "vsnprintf_s", // vsnprintf_s(dst, size, count, format, va_list)
+          "vsprintf_s", // vsprintf_s(dst, size, format, va_list)
+          "vswprintf_s", // vswprintf_s(dst, size, format, va_list)
+          "_vsnprintf", // _vsnprintf(dst, count, format, va_list)
+          "_vsnprintf_l", // _vsnprintf_l(dst, count, format, locale, va_list)
+          "_vsnprintf_s", // _vsnprintf_s(dst, size, count, format, va_list)
+          "_vsnprintf_s_l", // _vsnprintf_s_l(dst, size, count, format, locale, va_list)
+          "_vsnwprintf", // _vsnwprintf(dst, count, format, va_list)
+          "_vsnwprintf_l", // _vsnwprintf_l(dst, count, format, locale, va_list)
+          "_vsnwprintf_s", // _vsnwprintf_s(dst, size, count, format, va_list)
+          "_vsnwprintf_s_l", // _vsnwprintf_s_l(dst, size, count, format, locale, va_list)
+          "_vsprintf_p", // _vsprintf_p(dst, size, format, va_list)
+          "_vsprintf_p_l", // _vsprintf_p_l(dst, size, format, locale, va_list)
+          "_vsprintf_s_l", // _vsprintf_s_l(dst, size, format, locale, va_list)
+          "_vswprintf_p", // _vswprintf_p(dst, count, format, va_list)
+          "_vswprintf_p_l", // _vswprintf_p_l(dst, count, format, locale, va_list)
+          "_vswprintf_s_l" // _vswprintf_s_l(dst, size, format, locale, va_list)
+        ])
+      or
+      this.hasGlobalOrStdOrBslName("vswprintf") and this.getNumberOfParameters() = 4
+      or
+      this.hasGlobalName("_vswprintf_l") and this.getNumberOfParameters() = 5
+    ) and
+    not exists(this.getDefinition().getFile().getRelativePath())
+  }
+
+  override int getOutputParameterIndex(boolean isStream) { result = 0 and isStream = false }
+
+  override int getSizeParameterIndex() { result = 1 }
+
+  override predicate returnsFullFormatLength() { this.hasName(["vsnprintf", "vsnprintf_s"]) }
+
+  override predicate parameterNeverEscapes(int index) {
+    index =
+      [
+        this.getOutputParameterIndex(false), this.getFormatParameterIndex(),
+        this.getVaListParameterIndex()
+      ]
+  }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate parameterIsAlwaysReturned(int index) { none() }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    i = this.getOutputParameterIndex(false) and buffer = true and mustWrite = false
+    or
+    i = this.getVaListParameterIndex() and buffer = false and mustWrite = false
+  }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    i = this.getFormatParameterIndex() and buffer = true
+    or
+    i = this.getVaListParameterIndex() and buffer = false
+  }
+}
+
+/**
+ * The Microsoft `_vscprintf_p` functions and variants.
+ */
+private class Vscprintf extends VaListFormattingFunction, NonCppThrowingFunction instanceof TopLevelFunction
+{
+  Vscprintf() {
+    this.hasGlobalName([
+        "_vscprintf_p", // _vscprintf_p(format, va_list)
+        "_vscprintf_p_l", // _vscprintf_p_l(format, locale, va_list)
+        "_vscwprintf_p", // _vscwprintf_p(format, va_list)
+        "_vscwprintf_p_l" // _vscwprintf_p_l(format, locale, va_list)
+      ]) and
+    not exists(this.getDefinition().getFile().getRelativePath())
+  }
+}
+
 /**
  * The Microsoft `StringCchPrintf` function and variants.
  * See: https://learn.microsoft.com/en-us/windows/win32/api/strsafe/
