malloc-overflow.c revision 17f7bdddd11a2dc5b4be248f756e14b1ebfe207b 
1// RUN: %clang_cc1 -triple x86_64-apple-macosx10.7.0 -analyze -analyzer-checker=security.experimental.MallocOverflow -verify %s
2
3typedef __typeof__(sizeof(int)) size_t;
4extern void * malloc(size_t);
5
6void * f1(int n)
7{
8  return malloc(n * sizeof(int));  // expected-warning {{the computation of the size of the memory allocation may overflow}}
9}
10
11void * f2(int n)
12{
13  return malloc(sizeof(int) * n); // // expected-warning {{the computation of the size of the memory allocation may overflow}}
14}
15
16void * f3()
17{
18  return malloc(4 * sizeof(int));  // no-warning
19}
20
21struct s4
22{
23  int n;
24};
25
26void * f4(struct s4 *s)
27{
28  return malloc(s->n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
29}
30
31void * f5(struct s4 *s)
32{
33  struct s4 s2 = *s;
34  return malloc(s2.n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
35}
36
37void * f6(int n)
38{
39  return malloc((n + 1) * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
40}
41
42#include <stddef.h>
43extern void * malloc (size_t);
44
45void * f7(int n)
46{
47  if (n > 10)
48    return NULL;
49  return malloc(n * sizeof(int));  // no-warning
50}
51
52void * f8(int n)
53{
54  if (n < 10)
55    return malloc(n * sizeof(int));  // no-warning
56  else
57    return NULL;
58}
59
60void * f9(int n)
61{
62  int * x = malloc(n * sizeof(int));  // expected-warning {{the computation of the size of the memory allocation may overflow}}
63  for (int i = 0; i < n; i++)
64    x[i] = i;
65  return x;
66}
67
68void * f10(int n)
69{
70  int * x = malloc(n * sizeof(int));  // expected-warning {{the computation of the size of the memory allocation may overflow}}
71  int i = 0;
72  while (i < n)
73    x[i++] = 0;
74  return x;
75}
76
77void * f11(int n)
78{
79  int * x = malloc(n * sizeof(int));  // expected-warning {{the computation of the size of the memory allocation may overflow}}
80  int i = 0;
81  do {
82    x[i++] = 0;
83  } while (i < n);
84  return x;
85}
86
87void * f12(int n)
88{
89  n = (n > 10 ? 10 : n);
90  int * x = malloc(n * sizeof(int));  // no-warning
91  for (int i = 0; i < n; i++)
92    x[i] = i;
93  return x;
94}
95
96struct s13
97{
98  int n;
99};
100
101void * f13(struct s13 *s)
102{
103  if (s->n > 10)
104    return NULL;
105  return malloc(s->n * sizeof(int));  // no warning
106}
107
108void * f14(int n)
109{
110  if (n < 0)
111    return NULL;
112  return malloc(n * sizeof(int));  // expected-warning {{the computation of the size of the memory allocation may overflow}}
113}
114
115