[PATCH] D112558: [analyzer] sprintf is a taint propagator not a source

Balázs Benics via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Thu Oct 28 02:03:27 PDT 2021 

This revision was automatically updated to reflect the committed changes.
Closed by commit rG49285f43e5ed: [analyzer] sprintf is a taint propagator not a source (authored by steakhal).
Herald added a project: clang.
Herald added a subscriber: cfe-commits.

Changed prior to commit:
  https://reviews.llvm.org/D112558?vs=382600&id=382953#toc

Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D112558/new/

https://reviews.llvm.org/D112558

Files:
  clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
  clang/test/Analysis/taint-generic.c


Index: clang/test/Analysis/taint-generic.c
===================================================================
--- clang/test/Analysis/taint-generic.c
+++ clang/test/Analysis/taint-generic.c
@@ -341,6 +341,16 @@
     *(volatile int *) 0; // no-warning
 }
 
+int sprintf_is_not_a_source(char *buf, char *msg) {
+  int x = sprintf(buf, "%s", msg); // no-warning
+  return 1 / x; // no-warning: 'sprintf' is not a taint source
+}
+
+int sprintf_propagates_taint(char *buf, char *msg) {
+  scanf("%s", msg);
+  int x = sprintf(buf, "%s", msg); // propagate taint!
+  return 1 / x; // expected-warning {{Division by a tainted value, possibly zero}}
+}
 
 // Test configuration
 int mySource1();
Index: clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
+++ clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
@@ -514,7 +514,7 @@
     if (OneOf("snprintf"))
       return {{1}, {0, ReturnValueIndex}, VariadicType::Src, 3};
     if (OneOf("sprintf"))
-      return {{}, {0, ReturnValueIndex}, VariadicType::Src, 2};
+      return {{1}, {0, ReturnValueIndex}, VariadicType::Src, 2};
     if (OneOf("strcpy", "stpcpy", "strcat"))
       return {{1}, {0, ReturnValueIndex}};
     if (OneOf("bcopy"))


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D112558.382953.patch
Type: text/x-patch
Size: 1334 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20211028/e8660af8/attachment-0001.bin>

More information about the cfe-commits mailing list