steakhal added a comment.

I'm thinking of a heuristic like this:

  bool IsAtOffsetZero = [ByteOffset] {
    const auto *Int = ByteOffset.getAsInteger();
    return Int && Int->isZero();
  }();
  // ...
  if (state_precedesLowerBound && state_withinLowerBound && !IsAtOffsetZero &&
      isTainted(state, location)) {
    reportTaintOOB(checkerContext, state_precedesLowerBound, location);
    return;
  }

It will definitely not work for all cases but should filter out the most 
annoying ones.

  int testTaintedPtr() {
    // Read a pointer from a tainted source and dereference it.
    char *app = getenv("APP_NAME");
    if (!app)
      return -1;
    if (app[0] == '\0') return 0; // no-warning: Allow manual checking for null 
terminator at offset zero.
    if (app[1] == '\0') return 1; // expected-warning {{Out of bound memory 
access (index is tainted)}} Any other index than 0 is disallowed.
    if (app[2] == '\0') return 2; // no-warning: The path already sunk.
    return -1;
  }



================
Comment at: clang/test/Analysis/taint-generic.c:1133-1141
+void testTaintedLowerConstrainedIndex() {
+  int n;
+  scanf("%d", &n);
+  if (n >= 0) {
+    // We only constained the lower end, and it's tainted => report.
+    Buffer[n] = 1; // expected-warning {{Out of bound memory access (index is 
tainted)}}
+  }
----------------
donat.nagy wrote:
> Also add the "opposite" of this where you test `if (n < BUFSIZE)`.
Makes sense.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D159105/new/

https://reviews.llvm.org/D159105

_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to