1 // RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s
2
3 // This file is for testing enhanced diagnostics produced by the GenericTaintChecker
4
5 int scanf(const char *restrict format, ...);
6 int system(const char *command);
7
taintDiagnostic()8 void taintDiagnostic()
9 {
10 char buf[128];
11 scanf("%s", buf); // expected-note {{Taint originated here}}
12 system(buf); // expected-warning {{Untrusted data is passed to a system call}} // expected-note {{Untrusted data is passed to a system call (CERT/STR02-C. Sanitize data passed to complex subsystems)}}
13 }
14
taintDiagnosticOutOfBound()15 int taintDiagnosticOutOfBound() {
16 int index;
17 int Array[] = {1, 2, 3, 4, 5};
18 scanf("%d", &index); // expected-note {{Taint originated here}}
19 return Array[index]; // expected-warning {{Out of bound memory access (index is tainted)}}
20 // expected-note@-1 {{Out of bound memory access (index is tainted)}}
21 }
22
taintDiagnosticDivZero(int operand)23 int taintDiagnosticDivZero(int operand) {
24 scanf("%d", &operand); // expected-note {{Value assigned to 'operand'}}
25 // expected-note@-1 {{Taint originated here}}
26 return 10 / operand; // expected-warning {{Division by a tainted value, possibly zero}}
27 // expected-note@-1 {{Division by a tainted value, possibly zero}}
28 }
29
taintDiagnosticVLA()30 void taintDiagnosticVLA() {
31 int x;
32 scanf("%d", &x); // expected-note {{Value assigned to 'x'}}
33 // expected-note@-1 {{Taint originated here}}
34 int vla[x]; // expected-warning {{Declared variable-length array (VLA) has tainted size}}
35 // expected-note@-1 {{Declared variable-length array (VLA) has tainted size}}
36 }
37