1*f4a2713aSLionel Sambuc // RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.MallocOverflow -verify %s 2*f4a2713aSLionel Sambuc 3*f4a2713aSLionel Sambuc #define NULL ((void *) 0) 4*f4a2713aSLionel Sambuc typedef __typeof__(sizeof(int)) size_t; 5*f4a2713aSLionel Sambuc extern void * malloc(size_t); 6*f4a2713aSLionel Sambuc f1(int n)7*f4a2713aSLionel Sambucvoid * f1(int n) 8*f4a2713aSLionel Sambuc { 9*f4a2713aSLionel Sambuc return malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} 10*f4a2713aSLionel Sambuc } 11*f4a2713aSLionel Sambuc f2(int n)12*f4a2713aSLionel Sambucvoid * f2(int n) 13*f4a2713aSLionel Sambuc { 14*f4a2713aSLionel Sambuc return malloc(sizeof(int) * n); // // expected-warning {{the computation of the size of the memory allocation may overflow}} 15*f4a2713aSLionel Sambuc } 16*f4a2713aSLionel Sambuc f3()17*f4a2713aSLionel Sambucvoid * f3() 18*f4a2713aSLionel Sambuc { 19*f4a2713aSLionel Sambuc return malloc(4 * sizeof(int)); // no-warning 20*f4a2713aSLionel Sambuc } 21*f4a2713aSLionel Sambuc 22*f4a2713aSLionel Sambuc struct s4 23*f4a2713aSLionel Sambuc { 24*f4a2713aSLionel Sambuc int n; 25*f4a2713aSLionel Sambuc }; 26*f4a2713aSLionel Sambuc f4(struct s4 * s)27*f4a2713aSLionel Sambucvoid * f4(struct s4 *s) 28*f4a2713aSLionel Sambuc { 29*f4a2713aSLionel Sambuc return malloc(s->n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} 30*f4a2713aSLionel Sambuc } 31*f4a2713aSLionel Sambuc f5(struct s4 * s)32*f4a2713aSLionel Sambucvoid * f5(struct s4 *s) 33*f4a2713aSLionel Sambuc { 34*f4a2713aSLionel Sambuc struct s4 s2 = *s; 35*f4a2713aSLionel Sambuc return malloc(s2.n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} 36*f4a2713aSLionel Sambuc } 37*f4a2713aSLionel Sambuc f6(int n)38*f4a2713aSLionel Sambucvoid * f6(int n) 39*f4a2713aSLionel Sambuc { 40*f4a2713aSLionel Sambuc return malloc((n + 1) * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} 41*f4a2713aSLionel Sambuc } 42*f4a2713aSLionel Sambuc 43*f4a2713aSLionel Sambuc extern void * malloc (size_t); 44*f4a2713aSLionel Sambuc f7(int n)45*f4a2713aSLionel Sambucvoid * f7(int n) 46*f4a2713aSLionel Sambuc { 47*f4a2713aSLionel Sambuc if (n > 10) 48*f4a2713aSLionel Sambuc return NULL; 49*f4a2713aSLionel Sambuc return malloc(n * sizeof(int)); // no-warning 50*f4a2713aSLionel Sambuc } 51*f4a2713aSLionel Sambuc f8(int n)52*f4a2713aSLionel Sambucvoid * f8(int n) 53*f4a2713aSLionel Sambuc { 54*f4a2713aSLionel Sambuc if (n < 10) 55*f4a2713aSLionel Sambuc return malloc(n * sizeof(int)); // no-warning 56*f4a2713aSLionel Sambuc else 57*f4a2713aSLionel Sambuc return NULL; 58*f4a2713aSLionel Sambuc } 59*f4a2713aSLionel Sambuc f9(int n)60*f4a2713aSLionel Sambucvoid * f9(int n) 61*f4a2713aSLionel Sambuc { 62*f4a2713aSLionel Sambuc int * x = malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} 63*f4a2713aSLionel Sambuc for (int i = 0; i < n; i++) 64*f4a2713aSLionel Sambuc x[i] = i; 65*f4a2713aSLionel Sambuc return x; 66*f4a2713aSLionel Sambuc } 67*f4a2713aSLionel Sambuc f10(int n)68*f4a2713aSLionel Sambucvoid * f10(int n) 69*f4a2713aSLionel Sambuc { 70*f4a2713aSLionel Sambuc int * x = malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} 71*f4a2713aSLionel Sambuc int i = 0; 72*f4a2713aSLionel Sambuc while (i < n) 73*f4a2713aSLionel Sambuc x[i++] = 0; 74*f4a2713aSLionel Sambuc return x; 75*f4a2713aSLionel Sambuc } 76*f4a2713aSLionel Sambuc f11(int n)77*f4a2713aSLionel Sambucvoid * f11(int n) 78*f4a2713aSLionel Sambuc { 79*f4a2713aSLionel Sambuc int * x = malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} 80*f4a2713aSLionel Sambuc int i = 0; 81*f4a2713aSLionel Sambuc do { 82*f4a2713aSLionel Sambuc x[i++] = 0; 83*f4a2713aSLionel Sambuc } while (i < n); 84*f4a2713aSLionel Sambuc return x; 85*f4a2713aSLionel Sambuc } 86*f4a2713aSLionel Sambuc f12(int n)87*f4a2713aSLionel Sambucvoid * f12(int n) 88*f4a2713aSLionel Sambuc { 89*f4a2713aSLionel Sambuc n = (n > 10 ? 10 : n); 90*f4a2713aSLionel Sambuc int * x = malloc(n * sizeof(int)); // no-warning 91*f4a2713aSLionel Sambuc for (int i = 0; i < n; i++) 92*f4a2713aSLionel Sambuc x[i] = i; 93*f4a2713aSLionel Sambuc return x; 94*f4a2713aSLionel Sambuc } 95*f4a2713aSLionel Sambuc 96*f4a2713aSLionel Sambuc struct s13 97*f4a2713aSLionel Sambuc { 98*f4a2713aSLionel Sambuc int n; 99*f4a2713aSLionel Sambuc }; 100*f4a2713aSLionel Sambuc f13(struct s13 * s)101*f4a2713aSLionel Sambucvoid * f13(struct s13 *s) 102*f4a2713aSLionel Sambuc { 103*f4a2713aSLionel Sambuc if (s->n > 10) 104*f4a2713aSLionel Sambuc return NULL; 105*f4a2713aSLionel Sambuc return malloc(s->n * sizeof(int)); // no warning 106*f4a2713aSLionel Sambuc } 107*f4a2713aSLionel Sambuc f14(int n)108*f4a2713aSLionel Sambucvoid * f14(int n) 109*f4a2713aSLionel Sambuc { 110*f4a2713aSLionel Sambuc if (n < 0) 111*f4a2713aSLionel Sambuc return NULL; 112*f4a2713aSLionel Sambuc return malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} 113*f4a2713aSLionel Sambuc } 114