gcc/testsuite/gcc.dg/analyzer/taint-alloc-3.c - gcc - Git at Google

 // TODO: remove need for this option:
 /* { dg-additional-options "-fanalyzer-checker=taint" } */

 #include "analyzer-decls.h"
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>

 /* malloc with tainted size from a syscall.  */

 void *p;

 void __attribute__((tainted_args))
 test_1 (size_t sz) /* { dg-message "\\(1\\) function 'test_1' marked with '__attribute__\\(\\(tainted_args\\)\\)'" } */
 {
   /* TODO: should have a message saying why "sz" is tainted, e.g.
      "treating 'sz' as attacker-controlled because 'test_1' is marked with '__attribute__((tainted_args))'"  */

   p = malloc (sz); /* { dg-warning "use of attacker-controlled value 'sz' as allocation size without upper-bounds checking" "warning" } */
   /* { dg-message "\\(\[0-9\]+\\) use of attacker-controlled value 'sz' as allocation size without upper-bounds checking" "final event" { target *-*-* } .-1 } */
 }
	// TODO: remove need for this option:
	/* { dg-additional-options "-fanalyzer-checker=taint" } */

	#include "analyzer-decls.h"
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>

	/* malloc with tainted size from a syscall. */

	void *p;

	void __attribute__((tainted_args))
	test_1 (size_t sz) /* { dg-message "\\(1\\) function 'test_1' marked with '__attribute__\\(\\(tainted_args\\)\\)'" } */
	{
	/* TODO: should have a message saying why "sz" is tainted, e.g.
	"treating 'sz' as attacker-controlled because 'test_1' is marked with '__attribute__((tainted_args))'" */

	p = malloc (sz); /* { dg-warning "use of attacker-controlled value 'sz' as allocation size without upper-bounds checking" "warning" } */
	/* { dg-message "\\(\[0-9\]+\\) use of attacker-controlled value 'sz' as allocation size without upper-bounds checking" "final event" { target --* } .-1 } */
	}