gcc/testsuite/gcc.dg/analyzer/CVE-2005-1689-minimal.c


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

#include <stdlib.h>
#include "analyzer-decls.h"

typedef struct _krb5_data {
  char *data;
} krb5_data;

void
test_1 (krb5_data inbuf, int flag)
{
  free(inbuf.data); /* { dg-message "first 'free' here" } */
  free(inbuf.data); /* { dg-warning "double-'free' of 'inbuf.data'" } */
}

void
test_2 (krb5_data inbuf, int flag)
{
  if (flag) {
    free(inbuf.data); /* { dg-message "first 'free' here" } */
  }
  free(inbuf.data); /* { dg-warning "double-'free' of 'inbuf.data'" } */
}

void
test_3 (krb5_data inbuf, int flag)
{
  if (flag) {
    free((char *)inbuf.data); /* { dg-message "first 'free' here" } */
  }
  free((char *)inbuf.data); /* { dg-warning "double-'free' of 'inbuf.data'" } */
}

extern void unknown_fn (void *);

void
test_4 (krb5_data inbuf)
{
  unknown_fn (NULL);
  free(inbuf.data); /* { dg-message "first 'free' here" } */
  free(inbuf.data); /* { dg-warning "double-'free' of 'inbuf.data'" } */
}

void
test_5 (krb5_data inbuf)
{
  unknown_fn (&inbuf);
  free(inbuf.data); /* { dg-message "first 'free' here" } */
  free(inbuf.data); /* { dg-warning "double-'free' of 'inbuf.data'" "inbuf.data" } */
  /* { dg-bogus "double-'free' of 'inbuf'" "inbuf" { target *-*-* } .-1 } */
}

typedef struct _padded_krb5_data {
  int pad;
  char *data;
} padded_krb5_data;

void
test_6 (padded_krb5_data inbuf)
{
  unknown_fn (&inbuf.data);
  free((char *)inbuf.data); /* { dg-message "first 'free' here" } */
  free((char *)inbuf.data); /* { dg-warning "double-'free' of 'inbuf.data'" "inbuf.data" } */
}

void
test_7 (padded_krb5_data inbuf)
{
  unknown_fn (&inbuf.data);
  free((char *)inbuf.data);

  unknown_fn (&inbuf.data);
  free((char *)inbuf.data);  
}

void
test_8 (padded_krb5_data inbuf, int flag)
{
  if (flag)
    {
      unknown_fn (&inbuf.data);
      free((char *)inbuf.data);
    }
  /* Should have two enodes, one for the explicit "freed" state, and one
     for the implicit "start" state.  */
  __analyzer_dump_exploded_nodes (0); /* { dg-warning "2 processed enodes" } */

  unknown_fn (&inbuf.data);

  /* Should have just one enode, for the implicit "start" state.  */
  __analyzer_dump_exploded_nodes (0); /* { dg-warning "1 processed enode" } */
}