2 files changed, 16 insertions, 3 deletions

diff --git a/lib/Analysis/FormatString.cpp b/lib/Analysis/FormatString.cpp
index a68b9bb324..f03a84fb52 100644
--- a/lib/Analysis/FormatString.cpp
+++ b/lib/Analysis/FormatString.cpp
@@ -262,6 +262,13 @@ bool ArgTypeResult::matchesType(ASTContext &C, QualType argTy) const {
         argTy = ETy->getDecl()->getIntegerType();
       argTy = C.getCanonicalType(argTy).getUnqualifiedType();
 
+      if (const PointerType *PTy = argTy->getAs<PointerType>()) {
+        // Strip volatile qualifier from pointee type.
+        QualType Pointee = PTy->getPointeeType();
+        Pointee.removeLocalVolatile();
+        argTy = C.getPointerType(Pointee);
+      }
+
       if (T == argTy)
         return true;
       // Check for "compatible types".
diff --git a/lib/Analysis/ScanfFormatString.cpp b/lib/Analysis/ScanfFormatString.cpp
index 3c848f1f09..1bbd5f2d29 100644
--- a/lib/Analysis/ScanfFormatString.cpp
+++ b/lib/Analysis/ScanfFormatString.cpp
@@ -453,6 +453,15 @@ bool clang::analyze_format_string::ParseScanfString(FormatStringHandler &H,
 }
 
 bool ScanfArgTypeResult::matchesType(ASTContext& C, QualType argTy) const {
+  // It has to be a pointer type.
+  const PointerType *PT = argTy->getAs<PointerType>();
+  if (!PT)
+    return false;
+
+  // We cannot write through a const qualified pointer.
+  if (PT->getPointeeType().isConstQualified())
+    return false;
+
   switch (K) {
     case InvalidTy:
       llvm_unreachable("ArgTypeResult must be valid");
@@ -463,9 +472,6 @@ bool ScanfArgTypeResult::matchesType(ASTContext& C, QualType argTy) const {
     case WCStrTy:
       return ArgTypeResult(ArgTypeResult::WCStrTy).matchesType(C, argTy);
     case PtrToArgTypeResultTy: {
-      const PointerType *PT = argTy->getAs<PointerType>();
-      if (!PT)
-        return false;
       return A.matchesType(C, PT->getPointeeType());
     }
   }