taint-tester.c revision dcf06fa1fbb9c018e152629ef3f3fa7b1acffe7a
1// RUN: %clang_cc1 -analyze -analyzer-checker=experimental.security.taint,debug.TaintTest -verify %s 2 3int scanf(const char *restrict format, ...); 4int getchar(void); 5 6#define BUFSIZE 10 7int Buffer[BUFSIZE]; 8 9struct XYStruct { 10 int x; 11 float y; 12}; 13 14void taintTracking(int x) { 15 int n; 16 int *addr = &Buffer[0]; 17 scanf("%d", &n); 18 addr += n;// expected-warning 2 {{tainted}} 19 *addr = n; // expected-warning 3 {{tainted}} 20 21 double tdiv = n / 30; // expected-warning 3 {{tainted}} 22 char *loc_cast = (char *) n; // expected-warning {{tainted}} 23 char tinc = tdiv++; // expected-warning {{tainted}} 24 int tincdec = (char)tinc--; // expected-warning 2 {{tainted}} 25 26 // Tainted ptr arithmetic/array element address. 27 int tprtarithmetic1 = *(addr+1); // expected-warning 2 {{tainted}} 28 29 // Tainted struct address, casts. 30 struct XYStruct *xyPtr = 0; 31 scanf("%p", &xyPtr); 32 void *tXYStructPtr = xyPtr; // expected-warning 2 {{tainted}} 33 struct XYStruct *xyPtrCopy = tXYStructPtr; // expected-warning 2 {{tainted}} 34} 35