gcc/testsuite/gcc.dg/analyzer/taint-alloc-2.c - gcc - Git at Google

 #include "analyzer-decls.h"
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>

 struct foo
 {
   int num;
 };

 /* malloc with tainted size from a field.  */

 void *test_1 (FILE *f)
 {
   struct foo tmp;
   fread(&tmp, sizeof(tmp), 1, f); /* { dg-message "\\(\[0-9\]+\\) 'tmp' gets an unchecked value here" "event: tmp gets unchecked value" { xfail *-*-* } } */

   __analyzer_dump_state ("taint", tmp.num); /* { dg-warning "state: 'tainted'" } */
   __analyzer_dump_state ("taint", tmp.num * 16); /* { dg-warning "state: 'tainted'" } */

   return malloc (tmp.num * 16); /* { dg-warning "use of attacker-controlled value 'tmp\\.num \\* 16' as allocation size without upper-bounds checking" "warning" } */
   /* { dg-message "\\(\[0-9\]+\\) use of attacker-controlled value 'tmp\\.num \\* 16' as allocation size without upper-bounds checking" "final event with expr" { target *-*-* } .-1 } */
   // TODO: show where tmp.num * 16 gets the bogus value
 }
	#include "analyzer-decls.h"
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>

	struct foo
	{
	int num;
	};

	/* malloc with tainted size from a field. */

	void test_1 (FILE f)
	{
	struct foo tmp;
	fread(&tmp, sizeof(tmp), 1, f); /* { dg-message "\\(\[0-9\]+\\) 'tmp' gets an unchecked value here" "event: tmp gets unchecked value" { xfail --* } } */

	__analyzer_dump_state ("taint", tmp.num); /* { dg-warning "state: 'tainted'" } */
	__analyzer_dump_state ("taint", tmp.num * 16); /* { dg-warning "state: 'tainted'" } */

	return malloc (tmp.num * 16); /* { dg-warning "use of attacker-controlled value 'tmp\\.num \\* 16' as allocation size without upper-bounds checking" "warning" } */
	/* { dg-message "\\(\[0-9\]+\\) use of attacker-controlled value 'tmp\\.num \\* 16' as allocation size without upper-bounds checking" "final event with expr" { target --* } .-1 } */
	// TODO: show where tmp.num * 16 gets the bogus value
	}