1  // TODO: remove need for this option:
       2  /* { dg-additional-options "-fanalyzer-checker=taint" } */
       3  
       4  #include "analyzer-decls.h"
       5  #include <stdio.h>
       6  #include <stdlib.h>
       7  #include <string.h>
       8  
       9  struct foo
      10  {
      11    int num;
      12  };
      13  
      14  /* malloc with tainted size from a field.  */
      15  
      16  void *test_1 (FILE *f)
      17  {
      18    struct foo tmp;
      19    fread(&tmp, sizeof(tmp), 1, f); /* { dg-message "\\(\[0-9\]+\\) 'tmp' gets an unchecked value here" "event: tmp gets unchecked value" { xfail *-*-* } } */
      20  
      21    __analyzer_dump_state ("taint", tmp.num); /* { dg-warning "state: 'tainted'" } */
      22    __analyzer_dump_state ("taint", tmp.num * 16); /* { dg-warning "state: 'tainted'" } */
      23  
      24    return malloc (tmp.num * 16); /* { dg-warning "use of attacker-controlled value 'tmp\\.num \\* 16' as allocation size without upper-bounds checking" "warning" } */
      25    /* { dg-message "\\(\[0-9\]+\\) use of attacker-controlled value 'tmp\\.num \\* 16' as allocation size without upper-bounds checking" "final event with expr" { target *-*-* } .-1 } */
      26    // TODO: show where tmp.num * 16 gets the bogus value
      27  }