1 // RUN: %clang_analyze_cc1 -analyzer-checker=unix.cstring.BadSizeArg -analyzer-store=region -Wno-strncat-size -Wno-strlcpy-strlcat-size -Wno-sizeof-array-argument -Wno-sizeof-pointer-memaccess -verify %s 2 // RUN: %clang_analyze_cc1 -triple armv7-a15-linux -analyzer-checker=unix.cstring.BadSizeArg -analyzer-store=region -Wno-strncat-size -Wno-strlcpy-strlcat-size -Wno-sizeof-array-argument -Wno-sizeof-pointer-memaccess -verify %s 3 // RUN: %clang_analyze_cc1 -triple aarch64_be-none-linux-gnu -analyzer-checker=unix.cstring.BadSizeArg -analyzer-store=region -Wno-strncat-size -Wno-strlcpy-strlcat-size -Wno-sizeof-array-argument -Wno-sizeof-pointer-memaccess -verify %s 4 // RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 -analyzer-checker=unix.cstring.BadSizeArg -analyzer-store=region -Wno-strncat-size -Wno-strlcpy-strlcat-size -Wno-sizeof-array-argument -Wno-sizeof-pointer-memaccess -verify %s 5 6 typedef __SIZE_TYPE__ size_t; 7 char *strncat(char *, const char *, size_t); 8 size_t strlen (const char *s); 9 size_t strlcpy(char *, const char *, size_t); 10 size_t strlcat(char *, const char *, size_t); 11 12 void testStrncat(const char *src) { 13 char dest[10]; 14 strncat(dest, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAA", sizeof(dest) - 1); // expected-warning {{Potential buffer overflow. Replace with 'sizeof(dest) - strlen(dest) - 1' or use a safer 'strlcat' API}} 15 strncat(dest, "AAAAAAAAAAAAAAAAAAAAAAAAAAA", sizeof(dest)); // expected-warning {{Potential buffer overflow. Replace with}} 16 strncat(dest, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", sizeof(dest) - strlen(dest)); // expected-warning {{Potential buffer overflow. Replace with}} 17 strncat(dest, src, sizeof(src)); // expected-warning {{Potential buffer overflow. Replace with}} 18 // Should not crash when sizeof has a type argument. 19 strncat(dest, "AAAAAAAAAAAAAAAAAAAAAAAAAAA", sizeof(char)); 20 } 21 22 void testStrlcpy(const char *src) { 23 char dest[10]; 24 size_t destlen = sizeof(dest); 25 size_t srclen = sizeof(src); 26 size_t badlen = 20; 27 size_t ulen; 28 strlcpy(dest, src, sizeof(dest)); 29 strlcpy(dest, src, destlen); 30 strlcpy(dest, src, 10); 31 strlcpy(dest, src, 20); // expected-warning {{The third argument allows to potentially copy more bytes than it should. Replace with the value sizeof(dest) or lower}} 32 strlcpy(dest, src, badlen); // expected-warning {{The third argument allows to potentially copy more bytes than it should. Replace with the value sizeof(dest) or lower}} 33 strlcpy(dest, src, ulen); 34 strlcpy(dest + 5, src, 5); 35 strlcpy(dest + 5, src, 10); // expected-warning {{The third argument allows to potentially copy more bytes than it should. Replace with the value sizeof(<destination buffer>) or lower}} 36 strlcpy(dest, "aaaaaaaaaaaaaaa", 10); // no-warning 37 } 38 39 void testStrlcat(const char *src) { 40 char dest[10]; 41 size_t badlen = 20; 42 size_t ulen; 43 strlcpy(dest, "aaaaa", sizeof("aaaaa") - 1); 44 strlcat(dest, "bbbb", (sizeof("bbbb") - 1) - sizeof(dest) - 1); 45 strlcpy(dest, "012345678", sizeof(dest)); 46 strlcat(dest, "910", sizeof(dest)); 47 strlcpy(dest, "0123456789", sizeof(dest)); 48 strlcpy(dest, "0123456789", sizeof(dest)); 49 strlcat(dest, "0123456789", badlen / 2); 50 strlcat(dest, "0123456789", badlen); // expected-warning {{The third argument allows to potentially copy more bytes than it should. Replace with the value sizeof(dest) or lower}} 51 strlcat(dest, "0123456789", badlen - strlen(dest) - 1); 52 strlcat(dest, src, ulen); 53 strlcpy(dest, src, 5); 54 strlcat(dest + 5, src, badlen); // expected-warning {{The third argument allows to potentially copy more bytes than it should. Replace with the value sizeof(<destination buffer>) or lower}} 55 strlcat(dest, "aaaaaaaaaaaaaaa", 10); // no-warning 56 } 57