[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)
Balazs Benics via cfe-commits
cfe-commits at lists.llvm.org
Fri May 17 05:12:14 PDT 2024
================
@@ -48,6 +49,45 @@ void myfoo(int *p);
void myfooint(int p);
char *fooRetPtr(void);
+void t1(void) {
+ size_t size;
+ scanf("%zu", &size);
+ int *p = malloc(size); // expected-warning{{malloc is called with a tainted (potentially attacker controlled) value}}
+ free(p);
+}
+
+void t2(void) {
+ size_t size;
+ scanf("%zu", &size);
+ int *p = calloc(size,2); // expected-warning{{calloc is called with a tainted (potentially attacker controlled) value}}
+ free(p);
+}
+
+void t3(void) {
+ size_t size;
+ scanf("%zu", &size);
+ if (1024<size)
+ return;
+ int *p = malloc(size); // No warning expected as the the user input is bound
+ free(p);
+}
+
+void t4(void) {
+ size_t size;
+ int *p = malloc(sizeof(int));
+ scanf("%zu", &size);
+ p = (int*) realloc((void*) p, size); // // expected-warning{{realloc is called with a tainted (potentially attacker controlled) value}}
----------------
steakhal wrote:
```suggestion
p = (int*) realloc((void*) p, size); // expected-warning{{realloc is called with a tainted (potentially attacker controlled) value}}
```
https://github.com/llvm/llvm-project/pull/92420
More information about the cfe-commits
mailing list