Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / clang / 1fb826a6fd893234f32b0b91bb92ea4d127788ad^! / . / test / Analysis / taint-generic.c
commit1fb826a6fd893234f32b0b91bb92ea4d127788ad[log] [tgz]
authorAnna Zaks <ganna@apple.com>Thu Jan 12 02:22:34 2012 +0000
committerAnna Zaks <ganna@apple.com>Thu Jan 12 02:22:34 2012 +0000
treea146fb7bf4be12981dc3e6ce6938a7c250e053b0
parente9c876044b7fe9560128a41d511426c014bf5d3f [diff] [blame]
[analyzer] Add taint transfer by strcpy & others (part 1).

To simplify the process:
Refactor taint generation checker to simplify passing the
information on which arguments need to be tainted from pre to post
visit.

Todo: We need to factor out the code that sema is using to identify the
string and memcpy functions and use it here and in the CString checker.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148010 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/test/Analysis/taint-generic.c b/test/Analysis/taint-generic.c
index a23d20f..fd9884d 100644
--- a/test/Analysis/taint-generic.c
+++ b/test/Analysis/taint-generic.c

@@ -3,6 +3,26 @@
 int scanf(const char *restrict format, ...);
 int getchar(void);
 
+typedef struct _FILE FILE;
+extern FILE *stdin;
+int fscanf(FILE *restrict stream, const char *restrict format, ...);
+int sprintf(char *str, const char *format, ...);
+void setproctitle(const char *fmt, ...);
+typedef __typeof(sizeof(int)) size_t;
+
+// Define string functions. Use builtin for some of them. They all default to
+// the processing in the taint checker.
+#define strcpy(dest, src) \
+  ((__builtin_object_size(dest, 0) != -1ULL) \
+   ? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \
+   : __inline_strcpy_chk(dest, src))
+
+static char *__inline_strcpy_chk (char *dest, const char *src) {
+  return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1));
+}
+char *stpcpy(char *restrict s1, const char *restrict s2);
+char *strncpy( char * destination, const char * source, size_t num );
+
 #define BUFSIZE 10
 
 int Buffer[BUFSIZE];
@@ -47,16 +67,23 @@
   Buffer[m] = 1;  //expected-warning {{Out of bound memory access }}
 }
 
-typedef struct _FILE FILE;
-extern FILE *stdin;
-int fscanf(FILE *restrict stream, const char *restrict format, ...);
-int sprintf(char *str, const char *format, ...);
-void setproctitle(const char *fmt, ...);
-
-void testUncontrolledFormatString() {
+void testUncontrolledFormatString(char **p) {
   char s[80];
   fscanf(stdin, "%s", s);
   char buf[128];
   sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}
   setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}
+
+  // Test taint propagation through strcpy and family.
+  char scpy[80];
+  strcpy(scpy, s);
+  sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}}
+
+  char spcpy[80];
+  stpcpy(spcpy, s);
+  setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}}
+
+  char sncpy[80];
+  strncpy(sncpy, s, 20);
+  setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}}
 }