1 // RUN: %clang_analyze_cc1 -analyzer-checker=unix.cstring.BadSizeArg -analyzer-store=region -Wno-strncat-size -Wno-strlcpy-strlcat-size -Wno-sizeof-array-argument -Wno-sizeof-pointer-memaccess -verify %s
2 // RUN: %clang_analyze_cc1 -triple armv7-a15-linux -analyzer-checker=unix.cstring.BadSizeArg -analyzer-store=region -Wno-strncat-size -Wno-strlcpy-strlcat-size -Wno-sizeof-array-argument -Wno-sizeof-pointer-memaccess -verify %s
3 // RUN: %clang_analyze_cc1 -triple aarch64_be-none-linux-gnu -analyzer-checker=unix.cstring.BadSizeArg -analyzer-store=region -Wno-strncat-size -Wno-strlcpy-strlcat-size -Wno-sizeof-array-argument -Wno-sizeof-pointer-memaccess -verify %s
4 // RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 -analyzer-checker=unix.cstring.BadSizeArg -analyzer-store=region -Wno-strncat-size -Wno-strlcpy-strlcat-size -Wno-sizeof-array-argument -Wno-sizeof-pointer-memaccess -verify %s
5 
6 typedef __SIZE_TYPE__ size_t;
7 char  *strncat(char *, const char *, size_t);
8 size_t strlen (const char *s);
9 size_t strlcpy(char *, const char *, size_t);
10 size_t strlcat(char *, const char *, size_t);
11 
12 void testStrncat(const char *src) {
13   char dest[10];
14   strncat(dest, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAA", sizeof(dest) - 1); // expected-warning {{Potential buffer overflow. Replace with 'sizeof(dest) - strlen(dest) - 1' or use a safer 'strlcat' API}}
15   strncat(dest, "AAAAAAAAAAAAAAAAAAAAAAAAAAA", sizeof(dest)); // expected-warning {{Potential buffer overflow. Replace with}}
16   strncat(dest, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", sizeof(dest) - strlen(dest)); // expected-warning {{Potential buffer overflow. Replace with}}
17   strncat(dest, src, sizeof(src)); // expected-warning {{Potential buffer overflow. Replace with}}
18   // Should not crash when sizeof has a type argument.
19   strncat(dest, "AAAAAAAAAAAAAAAAAAAAAAAAAAA", sizeof(char));
20 }
21 
22 void testStrlcpy(const char *src) {
23   char dest[10];
24   size_t destlen = sizeof(dest);
25   size_t srclen = sizeof(src);
26   size_t badlen = 20;
27   size_t ulen;
28   strlcpy(dest, src, sizeof(dest));
29   strlcpy(dest, src, destlen);
30   strlcpy(dest, src, 10);
31   strlcpy(dest, src, 20); // expected-warning {{The third argument allows to potentially copy more bytes than it should. Replace with the value sizeof(dest) or lower}}
32   strlcpy(dest, src, badlen); // expected-warning {{The third argument allows to potentially copy more bytes than it should. Replace with the value sizeof(dest) or lower}}
33   strlcpy(dest, src, ulen);
34   strlcpy(dest + 5, src, 5);
35   strlcpy(dest + 5, src, 10); // expected-warning {{The third argument allows to potentially copy more bytes than it should. Replace with the value sizeof(<destination buffer>) or lower}}
36   strlcpy(dest, "aaaaaaaaaaaaaaa", 10); // no-warning
37 }
38 
39 void testStrlcat(const char *src) {
40   char dest[10];
41   size_t badlen = 20;
42   size_t ulen;
43   strlcpy(dest, "aaaaa", sizeof("aaaaa") - 1);
44   strlcat(dest, "bbbb", (sizeof("bbbb") - 1) - sizeof(dest) - 1);
45   strlcpy(dest, "012345678", sizeof(dest));
46   strlcat(dest, "910", sizeof(dest));
47   strlcpy(dest, "0123456789", sizeof(dest));
48   strlcpy(dest, "0123456789", sizeof(dest));
49   strlcat(dest, "0123456789", badlen / 2);
50   strlcat(dest, "0123456789", badlen); // expected-warning {{The third argument allows to potentially copy more bytes than it should. Replace with the value sizeof(dest) or lower}}
51   strlcat(dest, "0123456789", badlen - strlen(dest) - 1);
52   strlcat(dest, src, ulen);
53   strlcpy(dest, src, 5);
54   strlcat(dest + 5, src, badlen); // expected-warning {{The third argument allows to potentially copy more bytes than it should. Replace with the value sizeof(<destination buffer>) or lower}}
55   strlcat(dest, "aaaaaaaaaaaaaaa", 10); // no-warning
56 }
57