2012-01-07 10:33:10 +08:00
|
|
|
// RUN: %clang_cc1 -analyze -analyzer-checker=experimental.security.taint,experimental.security.ArrayBoundV2 -Wno-format-security -verify %s
|
2011-11-17 03:58:17 +08:00
|
|
|
|
|
|
|
int scanf(const char *restrict format, ...);
|
|
|
|
int getchar(void);
|
|
|
|
|
2012-01-12 10:22:34 +08:00
|
|
|
typedef struct _FILE FILE;
|
|
|
|
extern FILE *stdin;
|
|
|
|
int fscanf(FILE *restrict stream, const char *restrict format, ...);
|
|
|
|
int sprintf(char *str, const char *format, ...);
|
|
|
|
void setproctitle(const char *fmt, ...);
|
|
|
|
typedef __typeof(sizeof(int)) size_t;
|
|
|
|
|
|
|
|
// Define string functions. Use builtin for some of them. They all default to
|
|
|
|
// the processing in the taint checker.
|
|
|
|
#define strcpy(dest, src) \
|
|
|
|
((__builtin_object_size(dest, 0) != -1ULL) \
|
|
|
|
? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \
|
|
|
|
: __inline_strcpy_chk(dest, src))
|
|
|
|
|
|
|
|
static char *__inline_strcpy_chk (char *dest, const char *src) {
|
|
|
|
return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1));
|
|
|
|
}
|
|
|
|
char *stpcpy(char *restrict s1, const char *restrict s2);
|
|
|
|
char *strncpy( char * destination, const char * source, size_t num );
|
|
|
|
|
2011-11-17 03:58:17 +08:00
|
|
|
#define BUFSIZE 10
|
|
|
|
|
|
|
|
int Buffer[BUFSIZE];
|
2011-11-29 04:43:40 +08:00
|
|
|
void bufferScanfDirect(void)
|
2011-11-17 03:58:17 +08:00
|
|
|
{
|
|
|
|
int n;
|
|
|
|
scanf("%d", &n);
|
|
|
|
Buffer[n] = 1; // expected-warning {{Out of bound memory access }}
|
|
|
|
}
|
2011-11-18 07:07:28 +08:00
|
|
|
|
|
|
|
void bufferScanfArithmetic1(int x) {
|
|
|
|
int n;
|
|
|
|
scanf("%d", &n);
|
|
|
|
int m = (n - 3);
|
|
|
|
Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
|
|
|
|
}
|
|
|
|
|
|
|
|
void bufferScanfArithmetic2(int x) {
|
|
|
|
int n;
|
|
|
|
scanf("%d", &n);
|
2011-11-29 04:43:40 +08:00
|
|
|
int m = 100 / (n + 3) * x;
|
2011-11-18 07:07:28 +08:00
|
|
|
Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
|
|
|
|
}
|
2011-11-18 10:26:36 +08:00
|
|
|
|
2011-11-29 04:43:40 +08:00
|
|
|
void bufferScanfAssignment(int x) {
|
|
|
|
int n;
|
|
|
|
scanf("%d", &n);
|
|
|
|
int m;
|
|
|
|
if (x > 0) {
|
|
|
|
m = n;
|
|
|
|
Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-11-18 10:26:36 +08:00
|
|
|
void scanfArg() {
|
|
|
|
int t;
|
2011-12-12 02:43:40 +08:00
|
|
|
scanf("%d", t); // expected-warning {{conversion specifies type 'int *' but the argument has type 'int'}}
|
2011-11-18 10:26:36 +08:00
|
|
|
}
|
2011-11-29 04:43:40 +08:00
|
|
|
|
|
|
|
void bufferGetchar(int x) {
|
|
|
|
int m = getchar();
|
|
|
|
Buffer[m] = 1; //expected-warning {{Out of bound memory access }}
|
|
|
|
}
|
2012-01-07 10:33:10 +08:00
|
|
|
|
2012-01-12 10:22:34 +08:00
|
|
|
void testUncontrolledFormatString(char **p) {
|
2012-01-07 10:33:10 +08:00
|
|
|
char s[80];
|
|
|
|
fscanf(stdin, "%s", s);
|
|
|
|
char buf[128];
|
|
|
|
sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}
|
|
|
|
setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}
|
2012-01-12 10:22:34 +08:00
|
|
|
|
|
|
|
// Test taint propagation through strcpy and family.
|
|
|
|
char scpy[80];
|
|
|
|
strcpy(scpy, s);
|
|
|
|
sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}}
|
|
|
|
|
|
|
|
char spcpy[80];
|
|
|
|
stpcpy(spcpy, s);
|
|
|
|
setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}}
|
|
|
|
|
|
|
|
char sncpy[80];
|
|
|
|
strncpy(sncpy, s, 20);
|
|
|
|
setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}}
|
2012-01-07 10:33:10 +08:00
|
|
|
}
|