Clang

headers Dmitri Gribenko | 1 Feb 2012 15:32

Hello,

I was playing with experimental taint analyzer and found a simple case
where taint checker fails:

void test_bad()
{
  char s[80];
  sprintf(s, "%s", "aaa");
  fscanf(stdin, "%s", s);
  printf(s); // expected-warning {{Uncontrolled Format String}}
}

If sprintf is commented out, diagnostic is produced as expected.

Full testcase attached.

Dmitri Gribenko

--

-- 
main(i,j){for(i=2;;i++){for(j=2;j<i;j++){if(!(i%j)){j=0;break;}}if
(j){printf("%d\n",i);}}} /*Dmitri Gribenko <gribozavr@...>*/

Taint analysis

Re: Taint analysis