| // RUN: %clang_cc1 -analyze -analyzer-checker=experimental.security.taint,experimental.security.ArrayBoundV2 -Wno-format-security -verify %s |
| |
| int scanf(const char *restrict format, ...); |
| int getchar(void); |
| |
| #define BUFSIZE 10 |
| |
| int Buffer[BUFSIZE]; |
| void bufferScanfDirect(void) |
| { |
| int n; |
| scanf("%d", &n); |
| Buffer[n] = 1; // expected-warning {{Out of bound memory access }} |
| } |
| |
| void bufferScanfArithmetic1(int x) { |
| int n; |
| scanf("%d", &n); |
| int m = (n - 3); |
| Buffer[m] = 1; // expected-warning {{Out of bound memory access }} |
| } |
| |
| void bufferScanfArithmetic2(int x) { |
| int n; |
| scanf("%d", &n); |
| int m = 100 / (n + 3) * x; |
| Buffer[m] = 1; // expected-warning {{Out of bound memory access }} |
| } |
| |
| void bufferScanfAssignment(int x) { |
| int n; |
| scanf("%d", &n); |
| int m; |
| if (x > 0) { |
| m = n; |
| Buffer[m] = 1; // expected-warning {{Out of bound memory access }} |
| } |
| } |
| |
| void scanfArg() { |
| int t; |
| scanf("%d", t); // expected-warning {{conversion specifies type 'int *' but the argument has type 'int'}} |
| } |
| |
| void bufferGetchar(int x) { |
| int m = getchar(); |
| Buffer[m] = 1; //expected-warning {{Out of bound memory access }} |
| } |
| |
| typedef struct _FILE FILE; |
| extern FILE *stdin; |
| int fscanf(FILE *restrict stream, const char *restrict format, ...); |
| int sprintf(char *str, const char *format, ...); |
| void setproctitle(const char *fmt, ...); |
| |
| void testUncontrolledFormatString() { |
| char s[80]; |
| fscanf(stdin, "%s", s); |
| char buf[128]; |
| sprintf(buf,s); // expected-warning {{Uncontrolled Format String}} |
| setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}} |
| } |