gcc/testsuite/c-c++-common/analyzer/out-of-bounds-5.c

   1 /* { dg-additional-options "-Wno-unused-but-set-variable" } */
   2 /* { dg-require-effective-target alloca } */
   3
   4 #include <string.h>
   5 #include <stdlib.h>
   6 #include <stdint.h>
   7
   8 /* Tests with symbolic values.  */
   9
  10 void test1 (size_t size)
  11 {
  12   char *buf = (char *)__builtin_malloc (size);
  13   if (!buf) return;
  14
  15   buf[size] = '\0'; /* { dg-warning "heap-based buffer overflow" } */
  16   __builtin_free (buf);
  17 }
  18
  19 void test2 (size_t size)
  20 {
  21   char *buf = (char *)__builtin_malloc (size);
  22   if (!buf) return;
  23
  24   buf[size + 1] = '\0'; /* { dg-warning "heap-based buffer overflow" } */
  25   __builtin_free (buf);
  26 }
  27
  28 void test3 (size_t size, size_t op)
  29 {
  30   char *buf = (char *)__builtin_malloc (size);
  31   if (!buf) return;
  32
  33   buf[size + op] = '\0'; /* { dg-warning "heap-based buffer overflow" } */
  34   __builtin_free (buf);
  35 }
  36
  37 void test4 (size_t size, unsigned short s)
  38 {
  39   char *buf = (char *)__builtin_alloca (size);
  40   buf[size + s] = '\0'; /* { dg-warning "stack-based buffer overflow" } */
  41 }
  42
  43 void test5 (size_t size)
  44 {
  45   int32_t *buf = (int32_t *)__builtin_alloca (4 * size);
  46   buf[size] = 42; /* { dg-warning "stack-based buffer overflow" } */
  47 }
  48
  49 void test6 (size_t size)
  50 {
  51   int32_t *buf = (int32_t *)__builtin_alloca (4 * size);
  52   memset (buf, 0, 4 * size);
  53   int32_t last = *(buf + 4 * size); /* { dg-warning "stack-based buffer over-read" } */
  54 }
  55
  56 void test7 (size_t size)
  57 {
  58   int32_t *buf = (int32_t *)__builtin_alloca (4 * size + 3); /* { dg-warning "allocated buffer size is not a multiple of the pointee's size" } */
  59   buf[size] = 42; /* { dg-warning "stack-based buffer overflow" } */
  60 }
  61
  62 /* Test where the offset itself is not out-of-bounds
  63    but multiple bytes are read.  */
  64
  65 void test8 (size_t size, size_t offset)
  66 {
  67   char src[size];
  68   char dst[size];
  69   memcpy (dst, src, size + offset); /* { dg-line test8 } */
  70   /* { dg-warning "over-read" "warning" { target *-*-* } test8 } */
  71   /* { dg-warning "overflow" "warning" { target *-*-* } test8 } */
  72 }
  73
  74 void test9 (size_t size, size_t offset)
  75 {
  76   int32_t src[size];
  77   int32_t dst[size];
  78   memcpy (dst, src, 4 * size + 1); /* { dg-line test9 } */
  79   /* { dg-warning "over-read" "warning" { target *-*-* } test9 } */
  80   /* { dg-warning "overflow" "warning" { target *-*-* } test9 } */
  81 }
  82
  83 /* Test for no false-positives.  */
  84
  85 void test10 (size_t size)
  86 {
  87   int32_t buf[4 * size];
  88   /* 4 * size is smaller than 4 * 4 * size.  */
  89   buf[size] = 42;
  90 }
  91
  92 void test11 (size_t size)
  93 {
  94   int32_t *buf = (int32_t *)__builtin_alloca (4 * size + 5); /* { dg-warning "allocated buffer size is not a multiple of the pointee's size" } */
  95   buf[size] = 42;
  96 }
  97
  98 void test12 (size_t size, size_t offset)
  99 {
 100   int buf[size];
 101   buf[offset] = 42;
 102 }
 103
 104 void test13 (size_t size, int offset)
 105 {
 106   int buf[size];
 107   /* We don't know whether offset is positive or not.  */
 108   buf[size + offset] = 42;
 109 }
 110
 111 void test14 (size_t size, size_t offset, size_t offset2)
 112 {
 113   int buf[size];
 114   /* We don't know whether offset > offset2.  */
 115   buf[size + offset - offset2] = 42;
 116 }
 117
 118 void test15 (size_t a, size_t b)
 119 {
 120   int buf[a * b];
 121   /* We can't reason about a*b < a+b either.  */
 122   buf[a + b] = 42;
 123 }
 124
 125 /* Misc.  */
 126
 127 char *test98 (const char *x, const char *y)
 128 {
 129   size_t len_x = __builtin_strlen (x);
 130   size_t len_y = __builtin_strlen (y);
 131   size_t sz = len_x + len_y + 1;
 132   char *result = (char *)__builtin_malloc (sz);
 133   if (!result)
 134     return NULL;
 135   __builtin_memcpy (result, x, len_x);
 136   __builtin_memcpy (result + len_x, y, len_y);
 137   result[len_x + len_y] = '\0';
 138   return result;
 139 }
 140
 141 char *test99 (const char *x, const char *y)
 142 {
 143   size_t len_x = __builtin_strlen (x);
 144   size_t len_y = __builtin_strlen (y);
 145   /* BUG (root cause): forgot to add 1 for terminator.  */
 146   size_t sz = len_x + len_y;
 147   char *result = (char *)__builtin_malloc (sz);
 148   if (!result)
 149     return NULL;
 150   __builtin_memcpy (result, x, len_x);
 151   __builtin_memcpy (result + len_x, y, len_y);
 152   /* BUG (symptom): off-by-one out-of-bounds write to heap.  */
 153   result[len_x + len_y] = '\0'; /* { dg-warning "heap-based buffer overflow" } */
 154   return result;
 155 }