================
@@ -0,0 +1,40 @@
+// RUN: %clang_analyze_cc1
-analyzer-checker=optin.taint,core,security.ArrayBound -analyzer-config
assume-controlled-environment=false -analyzer-output=text -verify %s
+
+// This file is for testing enhanced diagnostics produced by the
GenericTaintChecker
+
+typedef __typeof(sizeof(int)) size_t;
+int system(const char *command);
+size_t strlen( const char* str );
+char * strncat ( char * destination, const char * source, size_t num );
+char * strncpy ( char * destination, const char * source, size_t num );
+
+// In an untrusted environment the cmd line arguments
+// are assumed to be tainted.
+int main(int argc, char * argv[]) {// expected-note {{Taint originated in
'argv'}}
+ if (argc < 1)// expected-note {{'argc' is >= 1}}
+ // expected-note@-1 {{Taking false branch}}
+ return 1;
+ char cmd[2048] = "/bin/cat ";
+ char filename[1024];
+ strncpy(filename, argv[1], sizeof(filename)-1); // expected-note {{Taint
propagated to the 1st argument}}
----------------
steakhal wrote:
You access `argv[1]` here, but `argc >= 1` only ensures that `arg[0]` is valid.
So why don't we have a warning here? `argv` is tainted and the access is not
proved to be in-bounds.
https://github.com/llvm/llvm-project/pull/178054
_______________________________________________
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits