diff options
| author | Ted Kremenek <kremenek@apple.com> | 2011-08-03 20:17:43 +0000 |
|---|---|---|
| committer | Ted Kremenek <kremenek@apple.com> | 2011-08-03 20:17:43 +0000 |
| commit | 17f7bdddd11a2dc5b4be248f756e14b1ebfe207b (patch) | |
| tree | 200c9e1b0fea557e1070bf2130cbe7387dc58c94 /test/Analysis/malloc-overflow.c | |
| parent | 74133075f5024ce87e4c1eb644d77c20e1c521f4 (diff) | |
[analyzer] Introduce MallocOverflowSecurityChecker, a simple flow-sensitive checker that may be useful for security auditing. This checker is currently too noisy to be on by default.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@136804 91177308-0d34-0410-b5e6-96231b3b80d8
Diffstat (limited to 'test/Analysis/malloc-overflow.c')
| -rw-r--r-- | test/Analysis/malloc-overflow.c | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/test/Analysis/malloc-overflow.c b/test/Analysis/malloc-overflow.c new file mode 100644 index 0000000000..91bdc874f7 --- /dev/null +++ b/test/Analysis/malloc-overflow.c @@ -0,0 +1,114 @@ +// RUN: %clang_cc1 -triple x86_64-apple-macosx10.7.0 -analyze -analyzer-checker=security.experimental.MallocOverflow -verify %s + +typedef __typeof__(sizeof(int)) size_t; +extern void * malloc(size_t); + +void * f1(int n) +{ + return malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} +} + +void * f2(int n) +{ + return malloc(sizeof(int) * n); // // expected-warning {{the computation of the size of the memory allocation may overflow}} +} + +void * f3() +{ + return malloc(4 * sizeof(int)); // no-warning +} + +struct s4 +{ + int n; +}; + +void * f4(struct s4 *s) +{ + return malloc(s->n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} +} + +void * f5(struct s4 *s) +{ + struct s4 s2 = *s; + return malloc(s2.n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} +} + +void * f6(int n) +{ + return malloc((n + 1) * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} +} + +#include <stddef.h> +extern void * malloc (size_t); + +void * f7(int n) +{ + if (n > 10) + return NULL; + return malloc(n * sizeof(int)); // no-warning +} + +void * f8(int n) +{ + if (n < 10) + return malloc(n * sizeof(int)); // no-warning + else + return NULL; +} + +void * f9(int n) +{ + int * x = malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} + for (int i = 0; i < n; i++) + x[i] = i; + return x; +} + +void * f10(int n) +{ + int * x = malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} + int i = 0; + while (i < n) + x[i++] = 0; + return x; +} + +void * f11(int n) +{ + int * x = malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} + int i = 0; + do { + x[i++] = 0; + } while (i < n); + return x; +} + +void * f12(int n) +{ + n = (n > 10 ? 10 : n); + int * x = malloc(n * sizeof(int)); // no-warning + for (int i = 0; i < n; i++) + x[i] = i; + return x; +} + +struct s13 +{ + int n; +}; + +void * f13(struct s13 *s) +{ + if (s->n > 10) + return NULL; + return malloc(s->n * sizeof(int)); // no warning +} + +void * f14(int n) +{ + if (n < 0) + return NULL; + return malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} +} + |