(root)/
gcc-13.2.0/
gcc/
testsuite/
gcc.dg/
analyzer/
flexible-array-member-1.c
       1  #include <stdlib.h>
       2  #include <string.h>
       3  
       4  struct str {
       5    size_t len;
       6    char data[];
       7  };
       8  
       9  struct str *
      10  test_const_size (void)
      11  {
      12    struct str *str = malloc(sizeof(str) + 10);
      13    if (str) {
      14      str->len = 10;
      15      memset(str->data, 'x', 10);
      16      return str;
      17    }
      18    return NULL;
      19  }
      20  
      21  struct str *
      22  test_const_size_oob_1 (void)
      23  {
      24    /* Forgetting to add space for the trailing array.  */
      25    struct str *str = malloc(sizeof(str));
      26    if (str) {
      27      str->len = 10;
      28      memset(str->data, 'x', 10); /* { dg-warning "heap-based buffer overflow" "Wanalyzer-out-of-bounds" } */
      29      /* { dg-warning "'memset' writing 10 bytes into a region of size 0 overflows the destination" "Wstringop-overflow" { target *-*-* } .-1 } */
      30      return str;
      31    }
      32    return NULL;
      33  }
      34  
      35  struct str *
      36  test_const_size_oob_2 (void)
      37  {
      38    struct str *str = malloc(sizeof(str) + 10);
      39    if (str) {
      40      str->len = 10;
      41      /* Using the wrong size here.  */
      42      memset(str->data, 'x', 11); /* { dg-warning "heap-based buffer overflow" "Wanalyzer-out-of-bounds" } */
      43      /* { dg-warning "'memset' writing 11 bytes into a region of size 10 overflows the destination" "Wstringop-overflow" { target *-*-* } .-1 } */
      44      return str;
      45    }
      46    return NULL;
      47  }
      48  
      49  struct str *
      50  test_symbolic_size (size_t len)
      51  {
      52    struct str *str = malloc(sizeof(str) + len);
      53    if (str) {
      54      str->len = len;
      55      memset(str->data, 'x', len);
      56      return str;
      57    }
      58    return NULL;
      59  }
      60  
      61  struct str *
      62  test_symbolic_size_oob (size_t len)
      63  {
      64    /* Forgetting to add space for the trailing array.  */
      65    struct str *str = malloc(sizeof(str));
      66    if (str) {
      67      str->len = len;
      68      memset(str->data, 'x', len); /* { dg-warning "heap-based buffer overflow" "PR analyzer/98247" { xfail *-*-* } } */
      69      // TODO(xfail): we don't yet complain about this case, which occurs when len > 0
      70      return str;
      71    }
      72    return NULL;
      73  }
      74  
      75  struct str *
      76  test_symbolic_size_with_terminator (size_t len)
      77  {
      78    struct str *str = malloc(sizeof(str) + len + 1);
      79    if (str) {
      80      str->len = len;
      81      memset(str->data, 'x', len);
      82      str->data[len] = '\0';
      83      return str;
      84    }
      85    return NULL;
      86  }
      87  
      88  struct str *
      89  test_symbolic_size_with_terminator_oob (size_t len)
      90  {
      91    /* Forgetting to add 1 for the terminator.  */
      92    struct str *str = malloc(sizeof(str) + len);
      93    if (str) {
      94      str->len = len;
      95      memset(str->data, 'x', len);
      96      str->data[len] = '\0'; /* { dg-warning "heap-based buffer overflow" } */
      97      return str;
      98    }
      99    return NULL;
     100  }