1 // TODO: remove need for this option:
2 /* { dg-additional-options "-fanalyzer-checker=taint" } */
4 #include "analyzer-decls.h"
14 /* malloc with tainted size from a field. */
16 void *test_1 (FILE *f
)
19 fread(&tmp
, sizeof(tmp
), 1, f
); /* { dg-message "\\(\[0-9\]+\\) 'tmp' gets an unchecked value here" "event: tmp gets unchecked value" { xfail *-*-* } } */
21 __analyzer_dump_state ("taint", tmp
.num
); /* { dg-warning "state: 'tainted'" } */
22 __analyzer_dump_state ("taint", tmp
.num
* 16); /* { dg-warning "state: 'tainted'" } */
24 return malloc (tmp
.num
* 16); /* { dg-warning "use of attacker-controlled value 'tmp\\.num \\* 16' as allocation size without upper-bounds checking" "warning" } */
25 /* { dg-message "\\(\[0-9\]+\\) use of attacker-controlled value 'tmp\\.num \\* 16' as allocation size without upper-bounds checking" "final event with expr" { target *-*-* } .-1 } */
26 // TODO: show where tmp.num * 16 gets the bogus value