This revision was automatically updated to reflect the committed changes.
Closed by commit rG49285f43e5ed: [analyzer] sprintf is a taint propagator not a
source (authored by steakhal).
Herald added a project: clang.
Herald added a subscriber: cfe-commits.
Changed prior to commit:
https://reviews.llvm.org/D112558?vs=382600&id=382953#toc
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D112558/new/
https://reviews.llvm.org/D112558
Files:
clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
clang/test/Analysis/taint-generic.c
Index: clang/test/Analysis/taint-generic.c
===================================================================
--- clang/test/Analysis/taint-generic.c
+++ clang/test/Analysis/taint-generic.c
@@ -341,6 +341,16 @@
*(volatile int *) 0; // no-warning
}
+int sprintf_is_not_a_source(char *buf, char *msg) {
+ int x = sprintf(buf, "%s", msg); // no-warning
+ return 1 / x; // no-warning: 'sprintf' is not a taint source
+}
+
+int sprintf_propagates_taint(char *buf, char *msg) {
+ scanf("%s", msg);
+ int x = sprintf(buf, "%s", msg); // propagate taint!
+ return 1 / x; // expected-warning {{Division by a tainted value, possibly
zero}}
+}
// Test configuration
int mySource1();
Index: clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
+++ clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
@@ -514,7 +514,7 @@
if (OneOf("snprintf"))
return {{1}, {0, ReturnValueIndex}, VariadicType::Src, 3};
if (OneOf("sprintf"))
- return {{}, {0, ReturnValueIndex}, VariadicType::Src, 2};
+ return {{1}, {0, ReturnValueIndex}, VariadicType::Src, 2};
if (OneOf("strcpy", "stpcpy", "strcat"))
return {{1}, {0, ReturnValueIndex}};
if (OneOf("bcopy"))
Index: clang/test/Analysis/taint-generic.c
===================================================================
--- clang/test/Analysis/taint-generic.c
+++ clang/test/Analysis/taint-generic.c
@@ -341,6 +341,16 @@
*(volatile int *) 0; // no-warning
}
+int sprintf_is_not_a_source(char *buf, char *msg) {
+ int x = sprintf(buf, "%s", msg); // no-warning
+ return 1 / x; // no-warning: 'sprintf' is not a taint source
+}
+
+int sprintf_propagates_taint(char *buf, char *msg) {
+ scanf("%s", msg);
+ int x = sprintf(buf, "%s", msg); // propagate taint!
+ return 1 / x; // expected-warning {{Division by a tainted value, possibly zero}}
+}
// Test configuration
int mySource1();
Index: clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
+++ clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
@@ -514,7 +514,7 @@
if (OneOf("snprintf"))
return {{1}, {0, ReturnValueIndex}, VariadicType::Src, 3};
if (OneOf("sprintf"))
- return {{}, {0, ReturnValueIndex}, VariadicType::Src, 2};
+ return {{1}, {0, ReturnValueIndex}, VariadicType::Src, 2};
if (OneOf("strcpy", "stpcpy", "strcat"))
return {{1}, {0, ReturnValueIndex}};
if (OneOf("bcopy"))
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
