[clang] [analyzer] Fix core.VLASize checker false positive taint reports (PR #68140)
via cfe-commits
cfe-commits at lists.llvm.org
Fri Feb 23 01:26:51 PST 2024
================
@@ -229,6 +228,28 @@ Check for declarations of Variable Length Arrays of undefined or zero size.
int vla2[x]; // warn: zero size
}
+
+The checker also gives warning if the `TaintPropagation` checker is switched on
+and an unbound, attacker controlled (tainted) value is used to define
+the size of the VLA.
+
+.. code-block:: c
+
+ void taintedVLA(void) {
+ int x;
+ scanf("%d", &x);
+ int vla[x]; // Declared variable-length array (VLA) has a tainted (attacker controlled) size, that can be 0 or negative
+ }
+
+ void taintedVerfieidVLA(void) {
+ int x;
+ scanf("%d", &x);
+ if (x<1)
+ return;
+ int vla[x]; // no-warning. The analyzer can prove that the x can only be positive.
----------------
NagyDonat wrote:
```suggestion
int vla[x]; // no-warning. The analyzer can prove that x must be positive.
```
`the x` was very strange.
https://github.com/llvm/llvm-project/pull/68140
More information about the cfe-commits
mailing list