[analyzer] Fix taint propagation in GenericTaintChecker
The gets function has no SrcArgs. Because the default value for isTainted was
false, it didn't mark its DstArgs as tainted.
Patch by Gábor Borsik!
Differential Revision: https://reviews.llvm.org/D58828
llvm-svn: 355396
diff --git a/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
index c50fe49..eeddfdd 100644
--- a/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
@@ -458,7 +458,7 @@
ProgramStateRef State = C.getState();
// Check for taint in arguments.
- bool IsTainted = false;
+ bool IsTainted = true;
for (unsigned ArgNum : SrcArgs) {
if (ArgNum >= CE->getNumArgs())
return State;
diff --git a/clang/test/Analysis/taint-generic.c b/clang/test/Analysis/taint-generic.c
index 3052950..42e390dd 100644
--- a/clang/test/Analysis/taint-generic.c
+++ b/clang/test/Analysis/taint-generic.c
@@ -2,6 +2,7 @@
// RUN: %clang_analyze_cc1 -DFILE_IS_STRUCT -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s
int scanf(const char *restrict format, ...);
+char *gets(char *str);
int getchar(void);
typedef struct _FILE FILE;
@@ -142,6 +143,12 @@
system(buffern2); // expected-warning {{Untrusted data is passed to a system call}}
}
+void testGets() {
+ char str[50];
+ gets(str);
+ system(str); // expected-warning {{Untrusted data is passed to a system call}}
+}
+
void testTaintedBufferSize() {
size_t ts;
scanf("%zd", &ts);