diff options
| author | David Malcolm <dmalcolm@redhat.com> | 2024-01-15 19:01:21 -0500 |
|---|---|---|
| committer | David Malcolm <dmalcolm@redhat.com> | 2024-01-15 19:01:21 -0500 |
| commit | ce27b66d952127b7abd0f8cceacb79eb6ecf71db (patch) | |
| tree | c40e0f0e6a5e193c5e14cbeace1e1fd93c701710 /gcc/testsuite/c-c++-common/analyzer | |
| parent | d235bf2e807c5f7e959ca5f3f8d92936801f5b80 (diff) | |
| download | gcc-ce27b66d952127b7abd0f8cceacb79eb6ecf71db.zip gcc-ce27b66d952127b7abd0f8cceacb79eb6ecf71db.tar.gz gcc-ce27b66d952127b7abd0f8cceacb79eb6ecf71db.tar.bz2 | |
analyzer: fix false +ves from -Wanalyzer-tainted-array-index with unsigned char index [PR106229]
gcc/analyzer/ChangeLog:
PR analyzer/106229
* analyzer.h (compare_constants): New decl.
* constraint-manager.cc (compare_constants): Make non-static.
* sm-taint.cc: Add include "fold-const.h".
(class concrete_range): New.
(get_possible_range): New.
(index_can_be_out_of_bounds_p): New.
(region_model::check_region_for_taint): Reject
-Wanalyzer-tainted-array-index if the type of the value makes it
impossible for it to be out-of-bounds of the array.
gcc/testsuite/ChangeLog:
PR analyzer/106229
* c-c++-common/analyzer/taint-index-pr106229.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
Diffstat (limited to 'gcc/testsuite/c-c++-common/analyzer')
| -rw-r--r-- | gcc/testsuite/c-c++-common/analyzer/taint-index-pr106229.c | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/gcc/testsuite/c-c++-common/analyzer/taint-index-pr106229.c b/gcc/testsuite/c-c++-common/analyzer/taint-index-pr106229.c new file mode 100644 index 0000000..76dca63 --- /dev/null +++ b/gcc/testsuite/c-c++-common/analyzer/taint-index-pr106229.c @@ -0,0 +1,109 @@ +#include <stdint.h> + +/* Attacker-controlled 8 bit values where the array isn't + necessarily big enough. We should warn about these. */ + +struct st_s8_field_255_elements +{ + int8_t idx; + char buf[255]; +}; + +char __attribute__((tainted_args)) +test_s8_field_255_elements (struct st_s8_field_255_elements s) +{ + return s.buf[s.idx]; /* { dg-warning "tainted-array-index" } */ +} + +struct st_u8_field_255_elements +{ + uint8_t idx; + char buf[255]; +}; + +char __attribute__((tainted_args)) +test_u8_field_255_elements (struct st_u8_field_255_elements s) +{ + return s.buf[s.idx]; /* { dg-warning "tainted-array-index" } */ +} + +/* Attacker-controlled 8 bit values where the array is + big enough, but where the value might be signed. */ + +struct st_s8_field_256_elements +{ + int8_t idx; + char buf[256]; +}; + +char __attribute__((tainted_args)) +test_s8_field_256_elements (struct st_s8_field_256_elements s) +{ + return s.buf[s.idx]; /* { dg-warning "tainted-array-index" } */ +} + +struct st_u8_field_256_elements +{ + uint8_t idx; + char buf[256]; +}; + +char __attribute__((tainted_args)) +test_u8_field_256_elements (struct st_u8_field_256_elements s) +{ + return s.buf[s.idx]; /* { dg-bogus "tainted-array-index" } */ +} + +/* Attacker-controlled 16 bit values where the array isn't + necessarily big enough. We should warn about these. */ + +struct st_s16_field_256_elements +{ + int16_t idx; + char buf[256]; +}; + +char __attribute__((tainted_args)) +test_s16_field_256_elements (struct st_s16_field_256_elements s) +{ + return s.buf[s.idx]; /* { dg-warning "tainted-array-index" } */ +} + +struct st_u16_field_256_elements +{ + uint16_t idx; + char buf[256]; +}; + +char __attribute__((tainted_args)) +test_u16_field_256_elements (struct st_u16_field_256_elements s) +{ + return s.buf[s.idx]; /* { dg-warning "tainted-array-index" } */ +} + +/* Attacker-controlled 16 bit values where the array is + big enough, but where the value might be signed. */ + +struct st_s16_field_65536_elements +{ + int16_t idx; + char buf[65536]; +}; + +char __attribute__((tainted_args)) +test_s16_field_65536_elements (struct st_s16_field_65536_elements s) +{ + return s.buf[s.idx]; /* { dg-warning "tainted-array-index" } */ +} + +struct st_u16_field_65536_elements +{ + uint16_t idx; + char buf[65536]; +}; + +char __attribute__((tainted_args)) +test_u16_field_65536_elements (struct st_u16_field_65536_elements s) +{ + return s.buf[s.idx]; /* { dg-bogus "tainted-array-index" } */ +} |