1 //=-- asan_str_test.cc ----------------------------------------------------===//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This file is a part of AddressSanitizer, an address sanity checker.
11 //
12 //===----------------------------------------------------------------------===//
13 #include "asan_test_utils.h"
14
15 #if defined(__APPLE__)
16 #include <AvailabilityMacros.h> // For MAC_OS_X_VERSION_*
17 #endif
18
19 // Used for string functions tests
20 static char global_string[] = "global";
21 static size_t global_string_length = 6;
22
23 // Input to a test is a zero-terminated string str with given length
24 // Accesses to the bytes to the left and to the right of str
25 // are presumed to produce OOB errors
StrLenOOBTestTemplate(char * str,size_t length,bool is_global)26 void StrLenOOBTestTemplate(char *str, size_t length, bool is_global) {
27 // Normal strlen calls
28 EXPECT_EQ(strlen(str), length);
29 if (length > 0) {
30 EXPECT_EQ(length - 1, strlen(str + 1));
31 EXPECT_EQ(0U, strlen(str + length));
32 }
33 // Arg of strlen is not malloced, OOB access
34 if (!is_global) {
35 // We don't insert RedZones to the left of global variables
36 EXPECT_DEATH(Ident(strlen(str - 1)), LeftOOBReadMessage(1));
37 EXPECT_DEATH(Ident(strlen(str - 5)), LeftOOBReadMessage(5));
38 }
39 EXPECT_DEATH(Ident(strlen(str + length + 1)), RightOOBReadMessage(0));
40 // Overwrite terminator
41 str[length] = 'a';
42 // String is not zero-terminated, strlen will lead to OOB access
43 EXPECT_DEATH(Ident(strlen(str)), RightOOBReadMessage(0));
44 EXPECT_DEATH(Ident(strlen(str + length)), RightOOBReadMessage(0));
45 // Restore terminator
46 str[length] = 0;
47 }
TEST(AddressSanitizer,StrLenOOBTest)48 TEST(AddressSanitizer, StrLenOOBTest) {
49 // Check heap-allocated string
50 size_t length = Ident(10);
51 char *heap_string = Ident((char*)malloc(length + 1));
52 char stack_string[10 + 1];
53 break_optimization(&stack_string);
54 for (size_t i = 0; i < length; i++) {
55 heap_string[i] = 'a';
56 stack_string[i] = 'b';
57 }
58 heap_string[length] = 0;
59 stack_string[length] = 0;
60 StrLenOOBTestTemplate(heap_string, length, false);
61 // TODO(samsonov): Fix expected messages in StrLenOOBTestTemplate to
62 // make test for stack_string work. Or move it to output tests.
63 // StrLenOOBTestTemplate(stack_string, length, false);
64 StrLenOOBTestTemplate(global_string, global_string_length, true);
65 free(heap_string);
66 }
67
TEST(AddressSanitizer,WcsLenTest)68 TEST(AddressSanitizer, WcsLenTest) {
69 EXPECT_EQ(0U, wcslen(Ident(L"")));
70 size_t hello_len = 13;
71 size_t hello_size = (hello_len + 1) * sizeof(wchar_t);
72 EXPECT_EQ(hello_len, wcslen(Ident(L"Hello, World!")));
73 wchar_t *heap_string = Ident((wchar_t*)malloc(hello_size));
74 memcpy(heap_string, L"Hello, World!", hello_size);
75 EXPECT_EQ(hello_len, Ident(wcslen(heap_string)));
76 EXPECT_DEATH(Ident(wcslen(heap_string + 14)), RightOOBReadMessage(0));
77 free(heap_string);
78 }
79
80 #if SANITIZER_TEST_HAS_STRNLEN
TEST(AddressSanitizer,StrNLenOOBTest)81 TEST(AddressSanitizer, StrNLenOOBTest) {
82 size_t size = Ident(123);
83 char *str = MallocAndMemsetString(size);
84 // Normal strnlen calls.
85 Ident(strnlen(str - 1, 0));
86 Ident(strnlen(str, size));
87 Ident(strnlen(str + size - 1, 1));
88 str[size - 1] = '\0';
89 Ident(strnlen(str, 2 * size));
90 // Argument points to not allocated memory.
91 EXPECT_DEATH(Ident(strnlen(str - 1, 1)), LeftOOBReadMessage(1));
92 EXPECT_DEATH(Ident(strnlen(str + size, 1)), RightOOBReadMessage(0));
93 // Overwrite the terminating '\0' and hit unallocated memory.
94 str[size - 1] = 'z';
95 EXPECT_DEATH(Ident(strnlen(str, size + 1)), RightOOBReadMessage(0));
96 free(str);
97 }
98 #endif // SANITIZER_TEST_HAS_STRNLEN
99
TEST(AddressSanitizer,StrDupOOBTest)100 TEST(AddressSanitizer, StrDupOOBTest) {
101 size_t size = Ident(42);
102 char *str = MallocAndMemsetString(size);
103 char *new_str;
104 // Normal strdup calls.
105 str[size - 1] = '\0';
106 new_str = strdup(str);
107 free(new_str);
108 new_str = strdup(str + size - 1);
109 free(new_str);
110 // Argument points to not allocated memory.
111 EXPECT_DEATH(Ident(strdup(str - 1)), LeftOOBReadMessage(1));
112 EXPECT_DEATH(Ident(strdup(str + size)), RightOOBReadMessage(0));
113 // Overwrite the terminating '\0' and hit unallocated memory.
114 str[size - 1] = 'z';
115 EXPECT_DEATH(Ident(strdup(str)), RightOOBReadMessage(0));
116 free(str);
117 }
118
TEST(AddressSanitizer,StrCpyOOBTest)119 TEST(AddressSanitizer, StrCpyOOBTest) {
120 size_t to_size = Ident(30);
121 size_t from_size = Ident(6); // less than to_size
122 char *to = Ident((char*)malloc(to_size));
123 char *from = Ident((char*)malloc(from_size));
124 // Normal strcpy calls.
125 strcpy(from, "hello");
126 strcpy(to, from);
127 strcpy(to + to_size - from_size, from);
128 // Length of "from" is too small.
129 EXPECT_DEATH(Ident(strcpy(from, "hello2")), RightOOBWriteMessage(0));
130 // "to" or "from" points to not allocated memory.
131 EXPECT_DEATH(Ident(strcpy(to - 1, from)), LeftOOBWriteMessage(1));
132 EXPECT_DEATH(Ident(strcpy(to, from - 1)), LeftOOBReadMessage(1));
133 EXPECT_DEATH(Ident(strcpy(to, from + from_size)), RightOOBReadMessage(0));
134 EXPECT_DEATH(Ident(strcpy(to + to_size, from)), RightOOBWriteMessage(0));
135 // Overwrite the terminating '\0' character and hit unallocated memory.
136 from[from_size - 1] = '!';
137 EXPECT_DEATH(Ident(strcpy(to, from)), RightOOBReadMessage(0));
138 free(to);
139 free(from);
140 }
141
TEST(AddressSanitizer,StrNCpyOOBTest)142 TEST(AddressSanitizer, StrNCpyOOBTest) {
143 size_t to_size = Ident(20);
144 size_t from_size = Ident(6); // less than to_size
145 char *to = Ident((char*)malloc(to_size));
146 // From is a zero-terminated string "hello\0" of length 6
147 char *from = Ident((char*)malloc(from_size));
148 strcpy(from, "hello");
149 // copy 0 bytes
150 strncpy(to, from, 0);
151 strncpy(to - 1, from - 1, 0);
152 // normal strncpy calls
153 strncpy(to, from, from_size);
154 strncpy(to, from, to_size);
155 strncpy(to, from + from_size - 1, to_size);
156 strncpy(to + to_size - 1, from, 1);
157 // One of {to, from} points to not allocated memory
158 EXPECT_DEATH(Ident(strncpy(to, from - 1, from_size)),
159 LeftOOBReadMessage(1));
160 EXPECT_DEATH(Ident(strncpy(to - 1, from, from_size)),
161 LeftOOBWriteMessage(1));
162 EXPECT_DEATH(Ident(strncpy(to, from + from_size, 1)),
163 RightOOBReadMessage(0));
164 EXPECT_DEATH(Ident(strncpy(to + to_size, from, 1)),
165 RightOOBWriteMessage(0));
166 // Length of "to" is too small
167 EXPECT_DEATH(Ident(strncpy(to + to_size - from_size + 1, from, from_size)),
168 RightOOBWriteMessage(0));
169 EXPECT_DEATH(Ident(strncpy(to + 1, from, to_size)),
170 RightOOBWriteMessage(0));
171 // Overwrite terminator in from
172 from[from_size - 1] = '!';
173 // normal strncpy call
174 strncpy(to, from, from_size);
175 // Length of "from" is too small
176 EXPECT_DEATH(Ident(strncpy(to, from, to_size)),
177 RightOOBReadMessage(0));
178 free(to);
179 free(from);
180 }
181
182 // Users may have different definitions of "strchr" and "index", so provide
183 // function pointer typedefs and overload RunStrChrTest implementation.
184 // We can't use macro for RunStrChrTest body here, as this macro would
185 // confuse EXPECT_DEATH gtest macro.
186 typedef char*(*PointerToStrChr1)(const char*, int);
187 typedef char*(*PointerToStrChr2)(char*, int);
188
RunStrChrTest(PointerToStrChr1 StrChr)189 UNUSED static void RunStrChrTest(PointerToStrChr1 StrChr) {
190 size_t size = Ident(100);
191 char *str = MallocAndMemsetString(size);
192 str[10] = 'q';
193 str[11] = '\0';
194 EXPECT_EQ(str, StrChr(str, 'z'));
195 EXPECT_EQ(str + 10, StrChr(str, 'q'));
196 EXPECT_EQ(NULL, StrChr(str, 'a'));
197 // StrChr argument points to not allocated memory.
198 EXPECT_DEATH(Ident(StrChr(str - 1, 'z')), LeftOOBReadMessage(1));
199 EXPECT_DEATH(Ident(StrChr(str + size, 'z')), RightOOBReadMessage(0));
200 // Overwrite the terminator and hit not allocated memory.
201 str[11] = 'z';
202 EXPECT_DEATH(Ident(StrChr(str, 'a')), RightOOBReadMessage(0));
203 free(str);
204 }
RunStrChrTest(PointerToStrChr2 StrChr)205 UNUSED static void RunStrChrTest(PointerToStrChr2 StrChr) {
206 size_t size = Ident(100);
207 char *str = MallocAndMemsetString(size);
208 str[10] = 'q';
209 str[11] = '\0';
210 EXPECT_EQ(str, StrChr(str, 'z'));
211 EXPECT_EQ(str + 10, StrChr(str, 'q'));
212 EXPECT_EQ(NULL, StrChr(str, 'a'));
213 // StrChr argument points to not allocated memory.
214 EXPECT_DEATH(Ident(StrChr(str - 1, 'z')), LeftOOBReadMessage(1));
215 EXPECT_DEATH(Ident(StrChr(str + size, 'z')), RightOOBReadMessage(0));
216 // Overwrite the terminator and hit not allocated memory.
217 str[11] = 'z';
218 EXPECT_DEATH(Ident(StrChr(str, 'a')), RightOOBReadMessage(0));
219 free(str);
220 }
221
TEST(AddressSanitizer,StrChrAndIndexOOBTest)222 TEST(AddressSanitizer, StrChrAndIndexOOBTest) {
223 RunStrChrTest(&strchr);
224 // No index() on Windows and on Android L.
225 #if !defined(_WIN32) && !defined(__ANDROID__)
226 RunStrChrTest(&index);
227 #endif
228 }
229
TEST(AddressSanitizer,StrCmpAndFriendsLogicTest)230 TEST(AddressSanitizer, StrCmpAndFriendsLogicTest) {
231 // strcmp
232 EXPECT_EQ(0, strcmp("", ""));
233 EXPECT_EQ(0, strcmp("abcd", "abcd"));
234 EXPECT_GT(0, strcmp("ab", "ac"));
235 EXPECT_GT(0, strcmp("abc", "abcd"));
236 EXPECT_LT(0, strcmp("acc", "abc"));
237 EXPECT_LT(0, strcmp("abcd", "abc"));
238
239 // strncmp
240 EXPECT_EQ(0, strncmp("a", "b", 0));
241 EXPECT_EQ(0, strncmp("abcd", "abcd", 10));
242 EXPECT_EQ(0, strncmp("abcd", "abcef", 3));
243 EXPECT_GT(0, strncmp("abcde", "abcfa", 4));
244 EXPECT_GT(0, strncmp("a", "b", 5));
245 EXPECT_GT(0, strncmp("bc", "bcde", 4));
246 EXPECT_LT(0, strncmp("xyz", "xyy", 10));
247 EXPECT_LT(0, strncmp("baa", "aaa", 1));
248 EXPECT_LT(0, strncmp("zyx", "", 2));
249
250 #if !defined(_WIN32) // no str[n]casecmp on Windows.
251 // strcasecmp
252 EXPECT_EQ(0, strcasecmp("", ""));
253 EXPECT_EQ(0, strcasecmp("zzz", "zzz"));
254 EXPECT_EQ(0, strcasecmp("abCD", "ABcd"));
255 EXPECT_GT(0, strcasecmp("aB", "Ac"));
256 EXPECT_GT(0, strcasecmp("ABC", "ABCd"));
257 EXPECT_LT(0, strcasecmp("acc", "abc"));
258 EXPECT_LT(0, strcasecmp("ABCd", "abc"));
259
260 // strncasecmp
261 EXPECT_EQ(0, strncasecmp("a", "b", 0));
262 EXPECT_EQ(0, strncasecmp("abCD", "ABcd", 10));
263 EXPECT_EQ(0, strncasecmp("abCd", "ABcef", 3));
264 EXPECT_GT(0, strncasecmp("abcde", "ABCfa", 4));
265 EXPECT_GT(0, strncasecmp("a", "B", 5));
266 EXPECT_GT(0, strncasecmp("bc", "BCde", 4));
267 EXPECT_LT(0, strncasecmp("xyz", "xyy", 10));
268 EXPECT_LT(0, strncasecmp("Baa", "aaa", 1));
269 EXPECT_LT(0, strncasecmp("zyx", "", 2));
270 #endif
271
272 // memcmp
273 EXPECT_EQ(0, memcmp("a", "b", 0));
274 EXPECT_EQ(0, memcmp("ab\0c", "ab\0c", 4));
275 EXPECT_GT(0, memcmp("\0ab", "\0ac", 3));
276 EXPECT_GT(0, memcmp("abb\0", "abba", 4));
277 EXPECT_LT(0, memcmp("ab\0cd", "ab\0c\0", 5));
278 EXPECT_LT(0, memcmp("zza", "zyx", 3));
279 }
280
281 typedef int(*PointerToStrCmp)(const char*, const char*);
RunStrCmpTest(PointerToStrCmp StrCmp)282 void RunStrCmpTest(PointerToStrCmp StrCmp) {
283 size_t size = Ident(100);
284 int fill = 'o';
285 char *s1 = MallocAndMemsetString(size, fill);
286 char *s2 = MallocAndMemsetString(size, fill);
287 s1[size - 1] = '\0';
288 s2[size - 1] = '\0';
289 // Normal StrCmp calls
290 Ident(StrCmp(s1, s2));
291 Ident(StrCmp(s1, s2 + size - 1));
292 Ident(StrCmp(s1 + size - 1, s2 + size - 1));
293 // One of arguments points to not allocated memory.
294 EXPECT_DEATH(Ident(StrCmp)(s1 - 1, s2), LeftOOBReadMessage(1));
295 EXPECT_DEATH(Ident(StrCmp)(s1, s2 - 1), LeftOOBReadMessage(1));
296 EXPECT_DEATH(Ident(StrCmp)(s1 + size, s2), RightOOBReadMessage(0));
297 EXPECT_DEATH(Ident(StrCmp)(s1, s2 + size), RightOOBReadMessage(0));
298 // Hit unallocated memory and die.
299 s1[size - 1] = fill;
300 EXPECT_DEATH(Ident(StrCmp)(s1, s1), RightOOBReadMessage(0));
301 EXPECT_DEATH(Ident(StrCmp)(s1 + size - 1, s2), RightOOBReadMessage(0));
302 free(s1);
303 free(s2);
304 }
305
TEST(AddressSanitizer,StrCmpOOBTest)306 TEST(AddressSanitizer, StrCmpOOBTest) {
307 RunStrCmpTest(&strcmp);
308 }
309
310 #if !defined(_WIN32) // no str[n]casecmp on Windows.
TEST(AddressSanitizer,StrCaseCmpOOBTest)311 TEST(AddressSanitizer, StrCaseCmpOOBTest) {
312 RunStrCmpTest(&strcasecmp);
313 }
314 #endif
315
316 typedef int(*PointerToStrNCmp)(const char*, const char*, size_t);
RunStrNCmpTest(PointerToStrNCmp StrNCmp)317 void RunStrNCmpTest(PointerToStrNCmp StrNCmp) {
318 size_t size = Ident(100);
319 char *s1 = MallocAndMemsetString(size);
320 char *s2 = MallocAndMemsetString(size);
321 s1[size - 1] = '\0';
322 s2[size - 1] = '\0';
323 // Normal StrNCmp calls
324 Ident(StrNCmp(s1, s2, size + 2));
325 s1[size - 1] = 'z';
326 s2[size - 1] = 'x';
327 Ident(StrNCmp(s1 + size - 2, s2 + size - 2, size));
328 s2[size - 1] = 'z';
329 Ident(StrNCmp(s1 - 1, s2 - 1, 0));
330 Ident(StrNCmp(s1 + size - 1, s2 + size - 1, 1));
331 // One of arguments points to not allocated memory.
332 EXPECT_DEATH(Ident(StrNCmp)(s1 - 1, s2, 1), LeftOOBReadMessage(1));
333 EXPECT_DEATH(Ident(StrNCmp)(s1, s2 - 1, 1), LeftOOBReadMessage(1));
334 EXPECT_DEATH(Ident(StrNCmp)(s1 + size, s2, 1), RightOOBReadMessage(0));
335 EXPECT_DEATH(Ident(StrNCmp)(s1, s2 + size, 1), RightOOBReadMessage(0));
336 // Hit unallocated memory and die.
337 EXPECT_DEATH(Ident(StrNCmp)(s1 + 1, s2 + 1, size), RightOOBReadMessage(0));
338 EXPECT_DEATH(Ident(StrNCmp)(s1 + size - 1, s2, 2), RightOOBReadMessage(0));
339 free(s1);
340 free(s2);
341 }
342
TEST(AddressSanitizer,StrNCmpOOBTest)343 TEST(AddressSanitizer, StrNCmpOOBTest) {
344 RunStrNCmpTest(&strncmp);
345 }
346
347 #if !defined(_WIN32) // no str[n]casecmp on Windows.
TEST(AddressSanitizer,StrNCaseCmpOOBTest)348 TEST(AddressSanitizer, StrNCaseCmpOOBTest) {
349 RunStrNCmpTest(&strncasecmp);
350 }
351 #endif
352
TEST(AddressSanitizer,StrCatOOBTest)353 TEST(AddressSanitizer, StrCatOOBTest) {
354 // strcat() reads strlen(to) bytes from |to| before concatenating.
355 size_t to_size = Ident(100);
356 char *to = MallocAndMemsetString(to_size);
357 to[0] = '\0';
358 size_t from_size = Ident(20);
359 char *from = MallocAndMemsetString(from_size);
360 from[from_size - 1] = '\0';
361 // Normal strcat calls.
362 strcat(to, from);
363 strcat(to, from);
364 strcat(to + from_size, from + from_size - 2);
365 // Passing an invalid pointer is an error even when concatenating an empty
366 // string.
367 EXPECT_DEATH(strcat(to - 1, from + from_size - 1), LeftOOBAccessMessage(1));
368 // One of arguments points to not allocated memory.
369 EXPECT_DEATH(strcat(to - 1, from), LeftOOBAccessMessage(1));
370 EXPECT_DEATH(strcat(to, from - 1), LeftOOBReadMessage(1));
371 EXPECT_DEATH(strcat(to, from + from_size), RightOOBReadMessage(0));
372
373 // "from" is not zero-terminated.
374 from[from_size - 1] = 'z';
375 EXPECT_DEATH(strcat(to, from), RightOOBReadMessage(0));
376 from[from_size - 1] = '\0';
377 // "to" is too short to fit "from".
378 memset(to, 'z', to_size);
379 to[to_size - from_size + 1] = '\0';
380 EXPECT_DEATH(strcat(to, from), RightOOBWriteMessage(0));
381 // length of "to" is just enough.
382 strcat(to, from + 1);
383
384 free(to);
385 free(from);
386 }
387
TEST(AddressSanitizer,StrNCatOOBTest)388 TEST(AddressSanitizer, StrNCatOOBTest) {
389 // strncat() reads strlen(to) bytes from |to| before concatenating.
390 size_t to_size = Ident(100);
391 char *to = MallocAndMemsetString(to_size);
392 to[0] = '\0';
393 size_t from_size = Ident(20);
394 char *from = MallocAndMemsetString(from_size);
395 // Normal strncat calls.
396 strncat(to, from, 0);
397 strncat(to, from, from_size);
398 from[from_size - 1] = '\0';
399 strncat(to, from, 2 * from_size);
400 // Catenating empty string with an invalid string is still an error.
401 EXPECT_DEATH(strncat(to - 1, from, 0), LeftOOBAccessMessage(1));
402 strncat(to, from + from_size - 1, 10);
403 // One of arguments points to not allocated memory.
404 EXPECT_DEATH(strncat(to - 1, from, 2), LeftOOBAccessMessage(1));
405 EXPECT_DEATH(strncat(to, from - 1, 2), LeftOOBReadMessage(1));
406 EXPECT_DEATH(strncat(to, from + from_size, 2), RightOOBReadMessage(0));
407
408 memset(from, 'z', from_size);
409 memset(to, 'z', to_size);
410 to[0] = '\0';
411 // "from" is too short.
412 EXPECT_DEATH(strncat(to, from, from_size + 1), RightOOBReadMessage(0));
413 // "to" is too short to fit "from".
414 to[0] = 'z';
415 to[to_size - from_size + 1] = '\0';
416 EXPECT_DEATH(strncat(to, from, from_size - 1), RightOOBWriteMessage(0));
417 // "to" is just enough.
418 strncat(to, from, from_size - 2);
419
420 free(to);
421 free(from);
422 }
423
OverlapErrorMessage(const string & func)424 static string OverlapErrorMessage(const string &func) {
425 return func + "-param-overlap";
426 }
427
TEST(AddressSanitizer,StrArgsOverlapTest)428 TEST(AddressSanitizer, StrArgsOverlapTest) {
429 size_t size = Ident(100);
430 char *str = Ident((char*)malloc(size));
431
432 // Do not check memcpy() on OS X 10.7 and later, where it actually aliases
433 // memmove().
434 #if !defined(__APPLE__) || !defined(MAC_OS_X_VERSION_10_7) || \
435 (MAC_OS_X_VERSION_MAX_ALLOWED < MAC_OS_X_VERSION_10_7)
436 // Check "memcpy". Use Ident() to avoid inlining.
437 memset(str, 'z', size);
438 Ident(memcpy)(str + 1, str + 11, 10);
439 Ident(memcpy)(str, str, 0);
440 EXPECT_DEATH(Ident(memcpy)(str, str + 14, 15), OverlapErrorMessage("memcpy"));
441 EXPECT_DEATH(Ident(memcpy)(str + 14, str, 15), OverlapErrorMessage("memcpy"));
442 #endif
443
444 // We do not treat memcpy with to==from as a bug.
445 // See http://llvm.org/bugs/show_bug.cgi?id=11763.
446 // EXPECT_DEATH(Ident(memcpy)(str + 20, str + 20, 1),
447 // OverlapErrorMessage("memcpy"));
448
449 // Check "strcpy".
450 memset(str, 'z', size);
451 str[9] = '\0';
452 strcpy(str + 10, str);
453 EXPECT_DEATH(strcpy(str + 9, str), OverlapErrorMessage("strcpy"));
454 EXPECT_DEATH(strcpy(str, str + 4), OverlapErrorMessage("strcpy"));
455 strcpy(str, str + 5);
456
457 // Check "strncpy".
458 memset(str, 'z', size);
459 strncpy(str, str + 10, 10);
460 EXPECT_DEATH(strncpy(str, str + 9, 10), OverlapErrorMessage("strncpy"));
461 EXPECT_DEATH(strncpy(str + 9, str, 10), OverlapErrorMessage("strncpy"));
462 str[10] = '\0';
463 strncpy(str + 11, str, 20);
464 EXPECT_DEATH(strncpy(str + 10, str, 20), OverlapErrorMessage("strncpy"));
465
466 // Check "strcat".
467 memset(str, 'z', size);
468 str[10] = '\0';
469 str[20] = '\0';
470 strcat(str, str + 10);
471 EXPECT_DEATH(strcat(str, str + 11), OverlapErrorMessage("strcat"));
472 str[10] = '\0';
473 strcat(str + 11, str);
474 EXPECT_DEATH(strcat(str, str + 9), OverlapErrorMessage("strcat"));
475 EXPECT_DEATH(strcat(str + 9, str), OverlapErrorMessage("strcat"));
476 EXPECT_DEATH(strcat(str + 10, str), OverlapErrorMessage("strcat"));
477
478 // Check "strncat".
479 memset(str, 'z', size);
480 str[10] = '\0';
481 strncat(str, str + 10, 10); // from is empty
482 EXPECT_DEATH(strncat(str, str + 11, 10), OverlapErrorMessage("strncat"));
483 str[10] = '\0';
484 str[20] = '\0';
485 strncat(str + 5, str, 5);
486 str[10] = '\0';
487 EXPECT_DEATH(strncat(str + 5, str, 6), OverlapErrorMessage("strncat"));
488 EXPECT_DEATH(strncat(str, str + 9, 10), OverlapErrorMessage("strncat"));
489
490 free(str);
491 }
492
493 typedef void(*PointerToCallAtoi)(const char*);
494
RunAtoiOOBTest(PointerToCallAtoi Atoi)495 void RunAtoiOOBTest(PointerToCallAtoi Atoi) {
496 char *array = MallocAndMemsetString(10, '1');
497 // Invalid pointer to the string.
498 EXPECT_DEATH(Atoi(array + 11), RightOOBReadMessage(1));
499 EXPECT_DEATH(Atoi(array - 1), LeftOOBReadMessage(1));
500 // Die if a buffer doesn't have terminating NULL.
501 EXPECT_DEATH(Atoi(array), RightOOBReadMessage(0));
502 // Make last symbol a terminating NULL
503 array[9] = '\0';
504 Atoi(array);
505 // Sometimes we need to detect overflow if no digits are found.
506 memset(array, ' ', 10);
507 EXPECT_DEATH(Atoi(array), RightOOBReadMessage(0));
508 array[9] = '-';
509 EXPECT_DEATH(Atoi(array), RightOOBReadMessage(0));
510 EXPECT_DEATH(Atoi(array + 9), RightOOBReadMessage(0));
511 free(array);
512 }
513
514 #if !defined(_WIN32) // FIXME: Fix and enable on Windows.
CallAtoi(const char * nptr)515 void CallAtoi(const char *nptr) {
516 Ident(atoi(nptr));
517 }
CallAtol(const char * nptr)518 void CallAtol(const char *nptr) {
519 Ident(atol(nptr));
520 }
CallAtoll(const char * nptr)521 void CallAtoll(const char *nptr) {
522 Ident(atoll(nptr));
523 }
TEST(AddressSanitizer,AtoiAndFriendsOOBTest)524 TEST(AddressSanitizer, AtoiAndFriendsOOBTest) {
525 RunAtoiOOBTest(&CallAtoi);
526 RunAtoiOOBTest(&CallAtol);
527 RunAtoiOOBTest(&CallAtoll);
528 }
529 #endif
530
531 typedef void(*PointerToCallStrtol)(const char*, char**, int);
532
RunStrtolOOBTest(PointerToCallStrtol Strtol)533 void RunStrtolOOBTest(PointerToCallStrtol Strtol) {
534 char *array = MallocAndMemsetString(3);
535 array[0] = '1';
536 array[1] = '2';
537 array[2] = '3';
538 // Invalid pointer to the string.
539 EXPECT_DEATH(Strtol(array + 3, NULL, 0), RightOOBReadMessage(0));
540 EXPECT_DEATH(Strtol(array - 1, NULL, 0), LeftOOBReadMessage(1));
541 // Buffer overflow if there is no terminating null (depends on base).
542 EXPECT_DEATH(Strtol(array, NULL, 0), RightOOBReadMessage(0));
543 array[2] = 'z';
544 EXPECT_DEATH(Strtol(array, NULL, 36), RightOOBReadMessage(0));
545 // Add terminating zero to get rid of overflow.
546 array[2] = '\0';
547 Strtol(array, NULL, 36);
548 // Sometimes we need to detect overflow if no digits are found.
549 array[0] = array[1] = array[2] = ' ';
550 EXPECT_DEATH(Strtol(array, NULL, 0), RightOOBReadMessage(0));
551 array[2] = '+';
552 EXPECT_DEATH(Strtol(array, NULL, 0), RightOOBReadMessage(0));
553 array[2] = '-';
554 EXPECT_DEATH(Strtol(array, NULL, 0), RightOOBReadMessage(0));
555 free(array);
556 }
557
558 #if !defined(_WIN32) // FIXME: Fix and enable on Windows.
CallStrtol(const char * nptr,char ** endptr,int base)559 void CallStrtol(const char *nptr, char **endptr, int base) {
560 Ident(strtol(nptr, endptr, base));
561 }
CallStrtoll(const char * nptr,char ** endptr,int base)562 void CallStrtoll(const char *nptr, char **endptr, int base) {
563 Ident(strtoll(nptr, endptr, base));
564 }
TEST(AddressSanitizer,StrtollOOBTest)565 TEST(AddressSanitizer, StrtollOOBTest) {
566 RunStrtolOOBTest(&CallStrtoll);
567 }
TEST(AddressSanitizer,StrtolOOBTest)568 TEST(AddressSanitizer, StrtolOOBTest) {
569 RunStrtolOOBTest(&CallStrtol);
570 }
571 #endif
572
573
574