test/Analysis/taint-generic.c - platform/external/clang - Git at Google

 // RUN: %clang_cc1  -analyze -analyzer-checker=experimental.security.taint,experimental.security.ArrayBoundV2 -Wno-format-security -verify %s

 int scanf(const char *restrict format, ...);
 int getchar(void);

 #define BUFSIZE 10

 int Buffer[BUFSIZE];
 void bufferScanfDirect(void)
 {
   int n;
   scanf("%d", &n);
   Buffer[n] = 1; // expected-warning {{Out of bound memory access }}
 }

 void bufferScanfArithmetic1(int x) {
   int n;
   scanf("%d", &n);
   int m = (n - 3);
   Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
 }

 void bufferScanfArithmetic2(int x) {
   int n;
   scanf("%d", &n);
   int m = 100 / (n + 3) * x;
   Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
 }

 void bufferScanfAssignment(int x) {
   int n;
   scanf("%d", &n);
   int m;
   if (x > 0) {
     m = n;
     Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
   }
 }

 void scanfArg() {
   int t;
   scanf("%d", t); // expected-warning {{conversion specifies type 'int *' but the argument has type 'int'}}
 }

 void bufferGetchar(int x) {
   int m = getchar();
   Buffer[m] = 1;  //expected-warning {{Out of bound memory access }}
 }

 typedef struct _FILE FILE;
 extern FILE *stdin;
 int fscanf(FILE *restrict stream, const char *restrict format, ...);
 int sprintf(char *str, const char *format, ...);
 void setproctitle(const char *fmt, ...);

 void testUncontrolledFormatString() {
   char s[80];
   fscanf(stdin, "%s", s);
   char buf[128];
   sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}
   setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}
 }
	// RUN: %clang_cc1 -analyze -analyzer-checker=experimental.security.taint,experimental.security.ArrayBoundV2 -Wno-format-security -verify %s

	int scanf(const char *restrict format, ...);
	int getchar(void);

	#define BUFSIZE 10

	int Buffer[BUFSIZE];
	void bufferScanfDirect(void)
	{
	int n;
	scanf("%d", &n);
	Buffer[n] = 1; // expected-warning {{Out of bound memory access }}
	}

	void bufferScanfArithmetic1(int x) {
	int n;
	scanf("%d", &n);
	int m = (n - 3);
	Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
	}

	void bufferScanfArithmetic2(int x) {
	int n;
	scanf("%d", &n);
	int m = 100 / (n + 3) * x;
	Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
	}

	void bufferScanfAssignment(int x) {
	int n;
	scanf("%d", &n);
	int m;
	if (x > 0) {
	m = n;
	Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
	}
	}

	void scanfArg() {
	int t;
	scanf("%d", t); // expected-warning {{conversion specifies type 'int *' but the argument has type 'int'}}
	}

	void bufferGetchar(int x) {
	int m = getchar();
	Buffer[m] = 1; //expected-warning {{Out of bound memory access }}
	}

	typedef struct _FILE FILE;
	extern FILE *stdin;
	int fscanf(FILE restrict stream, const char restrict format, ...);
	int sprintf(char str, const char format, ...);
	void setproctitle(const char *fmt, ...);

	void testUncontrolledFormatString() {
	char s[80];
	fscanf(stdin, "%s", s);
	char buf[128];
	sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}
	setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}
	}