6 /* Wanalyzer-out-of-bounds tests for buffer overflows. */
8 /* Avoid folding of memcpy. */
9 typedef void * (*memcpy_t
) (void *dst
, const void *src
, size_t n
);
11 static memcpy_t
__attribute__((noinline
))
18 /* Taken from CWE-787. */
26 id_sequence
[3] = 456; /* { dg-line test1 } */
28 /* { dg-warning "stack-based buffer overflow" "warning" { target *-*-* } test1 } */
29 /* { dg-message "write of 4 bytes to beyond the end of 'id_sequence'" "num bad bytes note" { target *-*-* } test1 } */
30 /* { dg-message "valid subscripts for 'id_sequence' are '\\\[0\\\]' to '\\\[2\\\]'" "valid subscript note" { target *-*-* } test1 } */
38 for (int i
= n
- 1; i
>= 0; i
--)
47 for (int i
= n
; i
>= 0; i
--)
48 arr
[i
] = i
; /* { dg-line test3 } */
50 /* { dg-warning "stack-based buffer overflow" "warning" { target *-*-* } test3 } */
51 /* { dg-message "write of 4 bytes to beyond the end of 'arr'" "num bad bytes note" { target *-*-* } test3 } */
52 /* { dg-message "valid subscripts for 'arr' are '\\\[0\\\]' to '\\\[3\\\]'" "valid subscript note" { target *-*-* } test3 } */
57 int *arr
= (int *)malloc (4 * sizeof (int));
61 int *last_el
= arr
+ 3;
69 int *arr
= (int *)malloc (4 * sizeof (int));
73 int *last_el
= arr
+ 4;
74 *last_el
= 4; /* { dg-line test5 } */
77 /* { dg-warning "heap-based buffer overflow" "warning" { target *-*-* } test5 } */
78 /* { dg-message "" "note" { target *-*-* } test5 } */
81 /* Taken from "A Provenance-aware Memory Object Model for C". */
82 int y
= 2, x
= 1; /* { dg-message "capacity" } */
87 printf ("Addresses: p=% p q=% p \n" , (void *) p
, (void *) q
);
88 if (memcmp (&p
, &q
, sizeof (p
)) == 0)
90 *p
= 11; /* { dg-line test6b } */
91 printf ("x=%d y=%d *p=%d *q=%d\n" , x
, y
, *p
, *q
); /* { dg-line test6c } */
94 /* { dg-warning "buffer overflow" "warning" { target *-*-* } test6b } */
95 /* { dg-message "" "note" { target *-*-* } test6b } */
96 /* { dg-warning "buffer over-read" "warning" { target *-*-* } test6c } */
97 /* { dg-message "" "note" { target *-*-* } test6c } */
100 extern int is_valid (void);
102 int returnChunkSize (int *ptr
)
104 /* If chunk info is valid, return the size of usable memory,
105 else, return -1 to indicate an error. */
106 return is_valid () ? sizeof (*ptr
) : -1;
109 /* Taken from CWE-787. */
112 memcpy_t fn
= get_memcpy ();
116 fn (destBuf
, srcBuf
, returnChunkSize (destBuf
)); /* { dg-line test7 } */
118 // TODO: Should we handle widening_svalues as a follow-up?
119 /* { dg-warning "over-read" "warning" { xfail *-*-* } test7 } */
120 /* { dg-warning "use of uninitialized value" "uninit warning" { target *-*-* } test7 } */
121 /* { dg-warning "overflow" "warning" { xfail *-*-* } test7 } */