commit 17f7bdddd11a2dc5b4be248f756e14b1ebfe207b
author Ted Kremenek <kremenek@apple.com> Wed Aug 03 20:17:43 2011 +0000
committer Ted Kremenek <kremenek@apple.com> Wed Aug 03 20:17:43 2011 +0000
tree 200c9e1b0fea557e1070bf2130cbe7387dc58c94
parent 74133075f5024ce87e4c1eb644d77c20e1c521f4

[analyzer] Introduce MallocOverflowSecurityChecker, a simple flow-sensitive checker that may be useful for security auditing.  This checker is currently too noisy to be on by default.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@136804 91177308-0d34-0410-b5e6-96231b3b80d8

test/Analysis/malloc-overflow.c

diff --git a/test/Analysis/malloc-overflow.c b/test/Analysis/malloc-overflow.c
new file mode 100644
index 0000000..91bdc87
--- /dev/null
+++ b/test/Analysis/malloc-overflow.c
@@ -0,0 +1,114 @@
+// RUN: %clang_cc1 -triple x86_64-apple-macosx10.7.0 -analyze -analyzer-checker=security.experimental.MallocOverflow -verify %s
+
+typedef __typeof__(sizeof(int)) size_t;
+extern void * malloc(size_t);
+
+void * f1(int n)
+{
+  return malloc(n * sizeof(int));  // expected-warning {{the computation of the size of the memory allocation may overflow}}
+}
+
+void * f2(int n)
+{
+  return malloc(sizeof(int) * n); // // expected-warning {{the computation of the size of the memory allocation may overflow}}
+}
+
+void * f3()
+{
+  return malloc(4 * sizeof(int));  // no-warning
+}
+
+struct s4
+{
+  int n;
+};
+
+void * f4(struct s4 *s)
+{
+  return malloc(s->n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
+}
+
+void * f5(struct s4 *s)
+{
+  struct s4 s2 = *s;
+  return malloc(s2.n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
+}
+
+void * f6(int n)
+{
+  return malloc((n + 1) * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
+}
+
+#include <stddef.h>
+extern void * malloc (size_t);
+
+void * f7(int n)
+{
+  if (n > 10)
+    return NULL;
+  return malloc(n * sizeof(int));  // no-warning
+}
+
+void * f8(int n)
+{
+  if (n < 10)
+    return malloc(n * sizeof(int));  // no-warning
+  else
+    return NULL;
+}
+
+void * f9(int n)
+{
+  int * x = malloc(n * sizeof(int));  // expected-warning {{the computation of the size of the memory allocation may overflow}}
+  for (int i = 0; i < n; i++)
+    x[i] = i;
+  return x;
+}
+
+void * f10(int n)
+{
+  int * x = malloc(n * sizeof(int));  // expected-warning {{the computation of the size of the memory allocation may overflow}}
+  int i = 0;
+  while (i < n)
+    x[i++] = 0;
+  return x;
+}
+
+void * f11(int n)
+{
+  int * x = malloc(n * sizeof(int));  // expected-warning {{the computation of the size of the memory allocation may overflow}}
+  int i = 0;
+  do {
+    x[i++] = 0;
+  } while (i < n);
+  return x;
+}
+
+void * f12(int n)
+{
+  n = (n > 10 ? 10 : n);
+  int * x = malloc(n * sizeof(int));  // no-warning
+  for (int i = 0; i < n; i++)
+    x[i] = i;
+  return x;
+}
+
+struct s13
+{
+  int n;
+};
+
+void * f13(struct s13 *s)
+{
+  if (s->n > 10)
+    return NULL;
+  return malloc(s->n * sizeof(int));  // no warning
+}
+
+void * f14(int n)
+{
+  if (n < 0)
+    return NULL;
+  return malloc(n * sizeof(int));  // expected-warning {{the computation of the size of the memory allocation may overflow}}
+}
+