malloc-overflow.c revision 6479c664f0ea191e72224578b655d8846f919bef
1// RUN: %clang_cc1 -analyze -analyzer-checker=experimental.security.MallocOverflow -verify %s 2 3#define NULL ((void *) 0) 4typedef __typeof__(sizeof(int)) size_t; 5extern void * malloc(size_t); 6 7void * f1(int n) 8{ 9 return malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} 10} 11 12void * f2(int n) 13{ 14 return malloc(sizeof(int) * n); // // expected-warning {{the computation of the size of the memory allocation may overflow}} 15} 16 17void * f3() 18{ 19 return malloc(4 * sizeof(int)); // no-warning 20} 21 22struct s4 23{ 24 int n; 25}; 26 27void * f4(struct s4 *s) 28{ 29 return malloc(s->n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} 30} 31 32void * f5(struct s4 *s) 33{ 34 struct s4 s2 = *s; 35 return malloc(s2.n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} 36} 37 38void * f6(int n) 39{ 40 return malloc((n + 1) * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} 41} 42 43extern void * malloc (size_t); 44 45void * f7(int n) 46{ 47 if (n > 10) 48 return NULL; 49 return malloc(n * sizeof(int)); // no-warning 50} 51 52void * f8(int n) 53{ 54 if (n < 10) 55 return malloc(n * sizeof(int)); // no-warning 56 else 57 return NULL; 58} 59 60void * f9(int n) 61{ 62 int * x = malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} 63 for (int i = 0; i < n; i++) 64 x[i] = i; 65 return x; 66} 67 68void * f10(int n) 69{ 70 int * x = malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} 71 int i = 0; 72 while (i < n) 73 x[i++] = 0; 74 return x; 75} 76 77void * f11(int n) 78{ 79 int * x = malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} 80 int i = 0; 81 do { 82 x[i++] = 0; 83 } while (i < n); 84 return x; 85} 86 87void * f12(int n) 88{ 89 n = (n > 10 ? 10 : n); 90 int * x = malloc(n * sizeof(int)); // no-warning 91 for (int i = 0; i < n; i++) 92 x[i] = i; 93 return x; 94} 95 96struct s13 97{ 98 int n; 99}; 100 101void * f13(struct s13 *s) 102{ 103 if (s->n > 10) 104 return NULL; 105 return malloc(s->n * sizeof(int)); // no warning 106} 107 108void * f14(int n) 109{ 110 if (n < 0) 111 return NULL; 112 return malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} 113} 114