1 #include "analyzer-decls.h"
14 /* memset with tainted size. */
19 if (1 == fread(&tmp
, sizeof(tmp
), 1, f
)) { /* { dg-message "\\(\[0-9\]+\\) 'tmp' gets an unchecked value here" "event: tmp gets unchecked value" { xfail *-*-* } } */
20 /* { dg-message "\\(\[0-9\]+\\) following 'true' branch\\.\\.\\." "event: following true branch" { target *-*-* } .-1 } */
21 __analyzer_dump_state ("taint", tmp
.sz
); /* { dg-warning "state: 'tainted'" } */
22 /* { dg-message "\\(\[0-9\]+\\) \\.\\.\\.to here" "event: to here" { target *-*-* } .-1 } */
24 memset (buf
, 0, tmp
.sz
); /* { dg-warning "use of attacker-controlled value 'tmp\\.sz' as size without upper-bounds checking" "warning" } */
25 /* { dg-message "23: \\(\[0-9\]+\\) 'tmp.i' has an unchecked value here \\(from 'tmp'\\)" "event: tmp.i has an unchecked value" { xfail *-*-* } .-1 } */
26 /* { dg-message "\\(\[0-9\]+\\) use of attacker-controlled value 'tmp\\.sz' as size without upper-bounds checking" "final event" { target *-*-* } .-2 } */
28 // TOOD: better messages for state changes
32 /* memcpy with tainted size. */
34 void __attribute__((tainted_args
))
37 memcpy (buf
, buf2
, sz
); /* { dg-warning "use of attacker-controlled value 'sz' as size without upper-bounds checking" } */
40 /* __attribute__ alloc_size with tainted size. */
42 extern void* (*my_alloc
)(size_t) __attribute__ ((alloc_size (1)));
44 void * __attribute__((tainted_args
))
45 test_attr_alloc_size (size_t sz
)
47 return my_alloc (sz
); /* { dg-warning "use of attacker-controlled value 'sz' as allocation size without upper-bounds checking" } */