1  // TODO: remove need for this option:
       2  /* { dg-additional-options "-fanalyzer-checker=taint" } */
       3  
       4  #include "analyzer-decls.h"
       5  #include <stdio.h>
       6  #include <stdlib.h>
       7  #include <string.h>
       8  
       9  /* malloc with tainted size from a syscall.  */
      10  
      11  struct arg_buf
      12  {
      13    size_t sz;
      14  };
      15  
      16  void *p;
      17  
      18  void __attribute__((tainted_args))
      19  test_1 (void *data) /* { dg-message "\\(1\\) function 'test_1' marked with '__attribute__\\(\\(tainted_args\\)\\)'" } */
      20  {
      21    /* we should treat pointed-to-structs as tainted.  */
      22    __analyzer_dump_state ("taint", data); /* { dg-warning "state: 'tainted'" } */
      23    
      24    struct arg_buf *args = data;
      25  
      26    __analyzer_dump_state ("taint", args); /* { dg-warning "state: 'tainted'" } */
      27    __analyzer_dump_state ("taint", args->sz); /* { dg-warning "state: 'tainted'" } */
      28    
      29    p = malloc (args->sz); /* { dg-warning "use of attacker-controlled value '\\*args.sz' as allocation size without upper-bounds checking" "warning" } */
      30    /* { dg-message "\\(\[0-9\]+\\) use of attacker-controlled value '\\*args.sz' as allocation size without upper-bounds checking" "final event" { target *-*-* } .-1 } */
      31  }