gcc/testsuite/gcc.dg/analyzer/taint-alloc-2.c

   1 // TODO: remove need for this option:
   2 /* { dg-additional-options "-fanalyzer-checker=taint" } */
   3
   4 #include "analyzer-decls.h"
   5 #include <stdio.h>
   6 #include <stdlib.h>
   7 #include <string.h>
   8
   9 struct foo
  10 {
  11   int num;
  12 };
  13
  14 /* malloc with tainted size from a field.  */
  15
  16 void *test_1 (FILE *f)
  17 {
  18   struct foo tmp;
  19   fread(&tmp, sizeof(tmp), 1, f); /* { dg-message "\\(\[0-9\]+\\) 'tmp' gets an unchecked value here" "event: tmp gets unchecked value" { xfail *-*-* } } */
  20
  21   __analyzer_dump_state ("taint", tmp.num); /* { dg-warning "state: 'tainted'" } */
  22   __analyzer_dump_state ("taint", tmp.num * 16); /* { dg-warning "state: 'tainted'" } */
  23
  24   return malloc (tmp.num * 16); /* { dg-warning "use of attacker-controlled value 'tmp\\.num \\* 16' as allocation size without upper-bounds checking" "warning" } */
  25   /* { dg-message "\\(\[0-9\]+\\) use of attacker-controlled value 'tmp\\.num \\* 16' as allocation size without upper-bounds checking" "final event with expr" { target *-*-* } .-1 } */
  26   // TODO: show where tmp.num * 16 gets the bogus value
  27 }