pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3b56b93ae5'
${ noResults }
infer_clone/infer/tests/codetoanalyze/cpp/quandary/arrays.cpp

58 lines
1.3 KiB
Raw Normal View History Unescape

[hil] fix crash when translating C code that indexes string literals like arrays or does pointer arithmetic Summary: HIL had only been tested in Java, and it made some assumptions about what array expressions look like (the LHS is always resolvable to an access path) and assignments (the LHS is always an access path) that aren't true in C. Fixed the code so we won't crash in this case. Thanks to jeremydubreil for catching this. Reviewed By: jeremydubreil Differential Revision: D5047649 fbshipit-source-id: e8484f4
8 years ago
/*
* Copyright (c) 2017 - present Facebook, Inc.
* All rights reserved.
*
* This source code is licensed under the BSD style license found in the
* LICENSE file in the root directory of this source tree. An additional grant
* of patent rights can be found in the PATENTS file in the same directory.
*/
[quandary] vector and array access as sink Summary: Useful for identifying user-controlled array accesses that could lead to buffer overflows Reviewed By: mbouaziz Differential Revision: D5520985 fbshipit-source-id: 92984f6
7 years ago
#include <array>
#include <string>
extern int __infer_taint_source();
extern void skip(int i, int j);
[hil] fix crash when translating C code that indexes string literals like arrays or does pointer arithmetic Summary: HIL had only been tested in Java, and it made some assumptions about what array expressions look like (the LHS is always resolvable to an access path) and assignments (the LHS is always an access path) that aren't true in C. Fixed the code so we won't crash in this case. Thanks to jeremydubreil for catching this. Reviewed By: jeremydubreil Differential Revision: D5047649 fbshipit-source-id: e8484f4
8 years ago
namespace arrays {
[quandary] vector and array access as sink Summary: Useful for identifying user-controlled array accesses that could lead to buffer overflows Reviewed By: mbouaziz Differential Revision: D5520985 fbshipit-source-id: 92984f6
7 years ago
void array_sink1_bad(int arr[]) {
int source = __infer_taint_source();
arr[source] = 2;
}
int array_sink2_bad(int arr[]) {
int source = __infer_taint_source();
return arr[source];
}
int array_sink3_bad(int arr[]) { return arr[1 + __infer_taint_source()]; }
void array_sink4_bad(int arr[]) {
int source = __infer_taint_source();
skip(1, arr[source]);
}
void std_array_sink_bad(std::array<int, 2> arr) {
int source = __infer_taint_source();
arr[source] = 2;
}
void std_string_sink_bad(std::string str) {
int source = __infer_taint_source();
str[source] = 'a';
}
[quandary] stack allocation of array as sink Reviewed By: grievejia Differential Revision: D5550052 fbshipit-source-id: 17568b1
7 years ago
int stack_smash_bad() {
int source = __infer_taint_source();
int arr[source];
return arr[0]; // could read from anywhere in the stack
}
[hil] fix crash when translating C code that indexes string literals like arrays or does pointer arithmetic Summary: HIL had only been tested in Java, and it made some assumptions about what array expressions look like (the LHS is always resolvable to an access path) and assignments (the LHS is always an access path) that aren't true in C. Fixed the code so we won't crash in this case. Thanks to jeremydubreil for catching this. Reviewed By: jeremydubreil Differential Revision: D5047649 fbshipit-source-id: e8484f4
8 years ago
// these examples used to crash the HIL conversion
char index_of_literal_ok1() { return "foo"[1]; }
char index_of_literal_ok2() { return "foo"[7]; }
char index_of_literal_ok3(int i) { return "foo"[i]; }
}