File: taint-alloc-5.c

package info (click to toggle)
gcc-arm-none-eabi 15%3A14.2.rel1-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 1,099,328 kB
  • sloc: cpp: 3,627,108; ansic: 2,571,498; ada: 834,230; f90: 235,082; makefile: 79,231; asm: 74,984; xml: 51,692; exp: 39,736; sh: 33,298; objc: 15,629; python: 15,069; fortran: 14,429; pascal: 7,003; awk: 5,070; perl: 3,106; ml: 285; lisp: 253; lex: 204; haskell: 135
file content (18 lines) | stat: -rw-r--r-- 694 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
 
#include "analyzer-decls.h"

struct foo
{
  int num;
};

/* malloc with tainted size from a field.  */

void * __attribute__ ((tainted_args))
test_1 (struct foo f)
{
  __analyzer_dump_state ("taint", f.num); /* { dg-warning "state: 'tainted'" } */
  __analyzer_dump_state ("taint", f.num * 16); /* { dg-warning "state: 'tainted'" } */

  return __builtin_malloc (f.num * 16); /* { dg-warning "use of attacker-controlled value 'f\\.num \\* 16' as allocation size without upper-bounds checking" "warning" } */
  /* { dg-message "\\(\[0-9\]+\\) use of attacker-controlled value 'f\\.num \\* 16' as allocation size without upper-bounds checking" "final event with expr" { target *-*-* } .-1 } */
}