1 // RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.MallocOverflow -verify %s
2
3 #define NULL ((void *) 0)
4 typedef __typeof__(sizeof(int)) size_t;
5 extern void * malloc(size_t);
6
f1(int n)7 void * f1(int n)
8 {
9 return malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
10 }
11
f2(int n)12 void * f2(int n)
13 {
14 return malloc(sizeof(int) * n); // // expected-warning {{the computation of the size of the memory allocation may overflow}}
15 }
16
f3()17 void * f3()
18 {
19 return malloc(4 * sizeof(int)); // no-warning
20 }
21
22 struct s4
23 {
24 int n;
25 };
26
f4(struct s4 * s)27 void * f4(struct s4 *s)
28 {
29 return malloc(s->n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
30 }
31
f5(struct s4 * s)32 void * f5(struct s4 *s)
33 {
34 struct s4 s2 = *s;
35 return malloc(s2.n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
36 }
37
f6(int n)38 void * f6(int n)
39 {
40 return malloc((n + 1) * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
41 }
42
43 extern void * malloc (size_t);
44
f7(int n)45 void * f7(int n)
46 {
47 if (n > 10)
48 return NULL;
49 return malloc(n * sizeof(int)); // no-warning
50 }
51
f8(int n)52 void * f8(int n)
53 {
54 if (n < 10)
55 return malloc(n * sizeof(int)); // no-warning
56 else
57 return NULL;
58 }
59
f9(int n)60 void * f9(int n)
61 {
62 int * x = malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
63 for (int i = 0; i < n; i++)
64 x[i] = i;
65 return x;
66 }
67
f10(int n)68 void * f10(int n)
69 {
70 int * x = malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
71 int i = 0;
72 while (i < n)
73 x[i++] = 0;
74 return x;
75 }
76
f11(int n)77 void * f11(int n)
78 {
79 int * x = malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
80 int i = 0;
81 do {
82 x[i++] = 0;
83 } while (i < n);
84 return x;
85 }
86
f12(int n)87 void * f12(int n)
88 {
89 n = (n > 10 ? 10 : n);
90 int * x = malloc(n * sizeof(int)); // no-warning
91 for (int i = 0; i < n; i++)
92 x[i] = i;
93 return x;
94 }
95
96 struct s13
97 {
98 int n;
99 };
100
f13(struct s13 * s)101 void * f13(struct s13 *s)
102 {
103 if (s->n > 10)
104 return NULL;
105 return malloc(s->n * sizeof(int)); // no-warning
106 }
107
f14(int n)108 void * f14(int n)
109 {
110 if (n < 0)
111 return NULL;
112 return malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
113 }
114