Author: aaronballman Date: Wed Nov 29 15:10:14 2017 New Revision: 319383 URL: http://llvm.org/viewvc/llvm-project?rev=319383&view=rev Log: Perform a bounds check on a function's argument list before accessing any index value specified by an 'argument_with_type_tag' attribute. Fixes PR28520.
Patch by Matt Davis. Added: cfe/trunk/test/Sema/error-type-safety.cpp Modified: cfe/trunk/include/clang/Basic/DiagnosticSemaKinds.td cfe/trunk/include/clang/Sema/Sema.h cfe/trunk/lib/Sema/SemaChecking.cpp Modified: cfe/trunk/include/clang/Basic/DiagnosticSemaKinds.td URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/Basic/DiagnosticSemaKinds.td?rev=319383&r1=319382&r2=319383&view=diff ============================================================================== --- cfe/trunk/include/clang/Basic/DiagnosticSemaKinds.td (original) +++ cfe/trunk/include/clang/Basic/DiagnosticSemaKinds.td Wed Nov 29 15:10:14 2017 @@ -7919,6 +7919,8 @@ def err_type_tag_for_datatype_too_large "'type_tag_for_datatype' attribute requires the initializer to be " "an %select{integer|integral}0 constant expression " "that can be represented by a 64 bit integer">; +def err_tag_index_out_of_range : Error< + "%select{type tag|argument}0 index %1 is greater than the number of arguments specified">; def warn_type_tag_for_datatype_wrong_kind : Warning< "this type tag was not designed to be used with this function">, InGroup<TypeSafety>; Modified: cfe/trunk/include/clang/Sema/Sema.h URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/Sema/Sema.h?rev=319383&r1=319382&r2=319383&view=diff ============================================================================== --- cfe/trunk/include/clang/Sema/Sema.h (original) +++ cfe/trunk/include/clang/Sema/Sema.h Wed Nov 29 15:10:14 2017 @@ -10455,7 +10455,8 @@ private: /// \brief Peform checks on a call of a function with argument_with_type_tag /// or pointer_with_type_tag attributes. void CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr *Attr, - const Expr * const *ExprArgs); + const ArrayRef<const Expr *> ExprArgs, + SourceLocation CallSiteLoc); /// \brief Check if we are taking the address of a packed field /// as this may be a problem if the pointer value is dereferenced. Modified: cfe/trunk/lib/Sema/SemaChecking.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Sema/SemaChecking.cpp?rev=319383&r1=319382&r2=319383&view=diff ============================================================================== --- cfe/trunk/lib/Sema/SemaChecking.cpp (original) +++ cfe/trunk/lib/Sema/SemaChecking.cpp Wed Nov 29 15:10:14 2017 @@ -2754,7 +2754,7 @@ void Sema::checkCall(NamedDecl *FDecl, c // Type safety checking. if (FDecl) { for (const auto *I : FDecl->specific_attrs<ArgumentWithTypeTagAttr>()) - CheckArgumentWithTypeTag(I, Args.data()); + CheckArgumentWithTypeTag(I, Args, Loc); } } @@ -12329,10 +12329,18 @@ static bool IsSameCharType(QualType T1, } void Sema::CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr *Attr, - const Expr * const *ExprArgs) { + const ArrayRef<const Expr *> ExprArgs, + SourceLocation CallSiteLoc) { const IdentifierInfo *ArgumentKind = Attr->getArgumentKind(); bool IsPointerAttr = Attr->getIsPointer(); + // Retrieve the argument representing the 'type_tag'. + if (Attr->getTypeTagIdx() >= ExprArgs.size()) { + // Add 1 to display the user's specified value. + Diag(CallSiteLoc, diag::err_tag_index_out_of_range) + << 0 << Attr->getTypeTagIdx() + 1; + return; + } const Expr *TypeTagExpr = ExprArgs[Attr->getTypeTagIdx()]; bool FoundWrongKind; TypeTagData TypeInfo; @@ -12346,6 +12354,13 @@ void Sema::CheckArgumentWithTypeTag(cons return; } + // Retrieve the argument representing the 'arg_idx'. + if (Attr->getArgumentIdx() >= ExprArgs.size()) { + // Add 1 to display the user's specified value. + Diag(CallSiteLoc, diag::err_tag_index_out_of_range) + << 1 << Attr->getArgumentIdx() + 1; + return; + } const Expr *ArgumentExpr = ExprArgs[Attr->getArgumentIdx()]; if (IsPointerAttr) { // Skip implicit cast of pointer to `void *' (as a function argument). Added: cfe/trunk/test/Sema/error-type-safety.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Sema/error-type-safety.cpp?rev=319383&view=auto ============================================================================== --- cfe/trunk/test/Sema/error-type-safety.cpp (added) +++ cfe/trunk/test/Sema/error-type-safety.cpp Wed Nov 29 15:10:14 2017 @@ -0,0 +1,23 @@ +// RUN: %clang_cc1 -fsyntax-only -verify %s + +#define INT_TAG 42 + +static const int test_in + __attribute__((type_tag_for_datatype(test, int))) = INT_TAG; + +// Argument index: 1, Type tag index: 2 +void test_bounds_index(...) + __attribute__((argument_with_type_tag(test, 1, 2))); + +// Argument index: 3, Type tag index: 1 +void test_bounds_arg_index(...) + __attribute__((argument_with_type_tag(test, 3, 1))); + +void test_bounds() +{ + // Test the boundary edges (ensure no off-by-one) with argument indexing. + test_bounds_index(1, INT_TAG); + + test_bounds_index(1); // expected-error {{type tag index 2 is greater than the number of arguments specified}} + test_bounds_arg_index(INT_TAG, 1); // expected-error {{argument index 3 is greater than the number of arguments specified}} +} _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits