1 // RUN: %clang_analyze_cc1 -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -analyzer-config alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml -Wno-format-security -verify -std=c++11 %s
6 int scanf(const char*, ...);
10 typedef struct _FILE
FILE;
14 int fscanf(FILE *stream
, const char *format
, ...);
16 bool isOutOfRange2(const int*);
21 namespace myNamespace
{
22 void scanf(const char*, ...);
23 void myScanf(const char*, ...);
26 bool isOutOfRange(const int*);
27 bool isOutOfRange2(const int*);
29 void mySink(int, int, int);
33 namespace myAnotherNamespace
{
36 bool isOutOfRange2(const int*);
41 void testConfigurationNamespacePropagation1() {
43 // The built-in functions should be matched only for functions in
44 // the global namespace
45 myNamespace::scanf("%d", &x
);
46 Buffer
[x
] = 1; // no-warning
49 Buffer
[x
] = 1; // expected-warning {{Out of bound memory access }}
52 void testConfigurationNamespacePropagation2() {
54 Buffer
[x
] = 1; // no-warning
56 int y
= myNamespace::mySource3();
57 Buffer
[y
] = 1; // expected-warning {{Out of bound memory access }}
60 void testConfigurationNamespacePropagation3() {
61 int x
= myAnotherNamespace::mySource3();
62 Buffer
[x
] = 1; // expected-warning {{Out of bound memory access }}
65 void testConfigurationNamespacePropagation4() {
67 // Configured functions without scope should match for all function.
68 myNamespace::myScanf("%d", &x
);
69 Buffer
[x
] = 1; // expected-warning {{Out of bound memory access }}
72 void testConfigurationNamespaceFilter1() {
74 if (myNamespace::isOutOfRange2(&x
))
76 Buffer
[x
] = 1; // no-warning
79 if (isOutOfRange2(&y
))
81 Buffer
[y
] = 1; // expected-warning {{Out of bound memory access }}
84 void testConfigurationNamespaceFilter2() {
86 if (myAnotherNamespace::isOutOfRange2(&x
))
88 Buffer
[x
] = 1; // no-warning
91 void testConfigurationNamespaceFilter3() {
93 if (myNamespace::isOutOfRange(&x
))
95 Buffer
[x
] = 1; // no-warning
98 void testConfigurationNamespaceSink1() {
100 mySink2(x
); // no-warning
103 myNamespace::mySink2(y
);
104 // expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}
107 void testConfigurationNamespaceSink2() {
109 myAnotherNamespace::mySink2(x
);
110 // expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}
113 void testConfigurationNamespaceSink3() {
115 myNamespace::mySink(x
, 0, 1);
116 // expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}
120 void scanf(const char*, int*);
121 void myMemberScanf(const char*, int*);
124 void testConfigurationMemberFunc() {
128 Buffer
[x
] = 1; // no-warning
130 foo
.myMemberScanf("%d", &x
);
131 Buffer
[x
] = 1; // expected-warning {{Out of bound memory access }}
134 void testReadingFromStdin(char **p
) {
136 fscanf(stdin
, "%d", &n
);
137 Buffer
[n
] = 1; // expected-warning {{Out of bound memory access (index is tainted)}}