Lines Matching defs:tainted

309   // is tainted and _can be very large_ (because that's exploitable). This
313   int *buf1 = (int*)malloc(ts*sizeof(int)); // warn here, ts is unbounded and tainted
314   char *dst = (char*)calloc(ts, sizeof(char)); // warn here, ts is unbounded tainted
352   } tainted;
358   read(sock, &tainted, sizeof(tainted));
359   clang_analyzer_isTainted_int(tainted.length); // expected-warning {{YES }}
365   } tainted[4];
373   read(sock, &tainted[0], sizeof(tainted));
374   clang_analyzer_isTainted_int(tainted[0].length); // expected-warning {{YES}}
376   __builtin_memset(&tainted, 0, sizeof(tainted));
377   read(sock, &tainted, sizeof(tainted));
378   clang_analyzer_isTainted_int(tainted[0].length); // expected-warning {{YES}}
380   __builtin_memset(&tainted, 0, sizeof(tainted));
382   read(sock, &tainted[1], sizeof(tainted));
383   clang_analyzer_isTainted_int(tainted[0].length); // expected-warning {{NO}}
384   clang_analyzer_isTainted_int(tainted[2].length); // expected-warning {{NO}}
391   } tainted;
396   read(sock, &tainted.y, sizeof(tainted.y));
398   __builtin_memcpy(buffer, tainted.y, tainted.x);
404   return 5/x; // expected-warning {{Division by a tainted value, possibly zero}}
412   return 5/x; // x cannot be 0, so no tainted warning either
419   int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted (attacker controlled) size that can be 0 or negative}}
437   return 5 / *(char*)p; // expected-warning {{Division by a tainted value, possibly zero}}
446   return 5 / *(char*)p; // expected-warning {{Division by a tainted value, possibly zero}}
467   return 5/a; // FIXME: Should be a "div by tainted" warning here.
472   int tainted = 0;
473   scanf("%d", &tainted);
475   // Make "tmp" tainted.
476   int tmp = tainted + tainted;
507   clang_analyzer_isTainted_int(tmp); // expected-warning{{NO}} FIXME: Ideally, this should still result in "tainted".
521   return 5/j; // expected-warning {{Division by a tainted value, possibly zero}}
544   return 1 / x;                    // expected-warning {{Division by a tainted value, possibly zero}}
572   return 1 / *out; // expected-warning {{Division by a tainted value, possibly zero}}
579   return 1 / c; // expected-warning {{Division by a tainted value, possibly zero}}
599   return 1 / (s + 1); // expected-warning {{Division by a tainted value, possibly zero}}
606   (void)(1 / dirfd);  // arg 0 is not tainted
607   system(path);       // arg 1 is not tainted
608   (void)(1 / bufsiz); // arg 3 is not tainted
610   return 1 / (s + 1); // expected-warning {{Division by a tainted value, possibly zero}}
649     return 1 / list[0]; // expected-warning {{Division by a tainted value, possibly zero}}
651   return 1 / (result + 1); // expected-warning {{Division by a tainted value, possibly zero}}
689   scanf("%d", &fd); // fake a tainted a file descriptor
703   scanf("%d", &fd); // fake a tainted a file descriptor
713   scanf("%d", &fd); // fake a tainted a file descriptor
722   scanf("%d", &fd); // fake a tainted a file descriptor
1213   myScanf("%s", buffer); // makes buffer tainted
1219   myScanf("%s", buffer); // makes buffer tainted
1244   // as we only check two levels. The results would be worse, if the tainted