xref: /aosp_15_r20/external/clang/test/Analysis/malloc-overflow.c (revision 67e74705e28f6214e480b399dd47ea732279e315) 
1*67e74705SXin Li // RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.MallocOverflow -verify %s
2*67e74705SXin Li 
3*67e74705SXin Li #define NULL ((void *) 0)
4*67e74705SXin Li typedef __typeof__(sizeof(int)) size_t;
5*67e74705SXin Li extern void * malloc(size_t);
6*67e74705SXin Li 
f1(int n)7*67e74705SXin Li void * f1(int n)
8*67e74705SXin Li {
9*67e74705SXin Li   return malloc(n * sizeof(int));  // expected-warning {{the computation of the size of the memory allocation may overflow}}
10*67e74705SXin Li }
11*67e74705SXin Li 
f2(int n)12*67e74705SXin Li void * f2(int n)
13*67e74705SXin Li {
14*67e74705SXin Li   return malloc(sizeof(int) * n); // // expected-warning {{the computation of the size of the memory allocation may overflow}}
15*67e74705SXin Li }
16*67e74705SXin Li 
f3()17*67e74705SXin Li void * f3()
18*67e74705SXin Li {
19*67e74705SXin Li   return malloc(4 * sizeof(int));  // no-warning
20*67e74705SXin Li }
21*67e74705SXin Li 
22*67e74705SXin Li struct s4
23*67e74705SXin Li {
24*67e74705SXin Li   int n;
25*67e74705SXin Li };
26*67e74705SXin Li 
f4(struct s4 * s)27*67e74705SXin Li void * f4(struct s4 *s)
28*67e74705SXin Li {
29*67e74705SXin Li   return malloc(s->n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
30*67e74705SXin Li }
31*67e74705SXin Li 
f5(struct s4 * s)32*67e74705SXin Li void * f5(struct s4 *s)
33*67e74705SXin Li {
34*67e74705SXin Li   struct s4 s2 = *s;
35*67e74705SXin Li   return malloc(s2.n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
36*67e74705SXin Li }
37*67e74705SXin Li 
f6(int n)38*67e74705SXin Li void * f6(int n)
39*67e74705SXin Li {
40*67e74705SXin Li   return malloc((n + 1) * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
41*67e74705SXin Li }
42*67e74705SXin Li 
43*67e74705SXin Li extern void * malloc (size_t);
44*67e74705SXin Li 
f7(int n)45*67e74705SXin Li void * f7(int n)
46*67e74705SXin Li {
47*67e74705SXin Li   if (n > 10)
48*67e74705SXin Li     return NULL;
49*67e74705SXin Li   return malloc(n * sizeof(int));  // no-warning
50*67e74705SXin Li }
51*67e74705SXin Li 
f8(int n)52*67e74705SXin Li void * f8(int n)
53*67e74705SXin Li {
54*67e74705SXin Li   if (n < 10)
55*67e74705SXin Li     return malloc(n * sizeof(int));  // no-warning
56*67e74705SXin Li   else
57*67e74705SXin Li     return NULL;
58*67e74705SXin Li }
59*67e74705SXin Li 
f9(int n)60*67e74705SXin Li void * f9(int n)
61*67e74705SXin Li {
62*67e74705SXin Li   int * x = malloc(n * sizeof(int));  // expected-warning {{the computation of the size of the memory allocation may overflow}}
63*67e74705SXin Li   for (int i = 0; i < n; i++)
64*67e74705SXin Li     x[i] = i;
65*67e74705SXin Li   return x;
66*67e74705SXin Li }
67*67e74705SXin Li 
f10(int n)68*67e74705SXin Li void * f10(int n)
69*67e74705SXin Li {
70*67e74705SXin Li   int * x = malloc(n * sizeof(int));  // expected-warning {{the computation of the size of the memory allocation may overflow}}
71*67e74705SXin Li   int i = 0;
72*67e74705SXin Li   while (i < n)
73*67e74705SXin Li     x[i++] = 0;
74*67e74705SXin Li   return x;
75*67e74705SXin Li }
76*67e74705SXin Li 
f11(int n)77*67e74705SXin Li void * f11(int n)
78*67e74705SXin Li {
79*67e74705SXin Li   int * x = malloc(n * sizeof(int));  // expected-warning {{the computation of the size of the memory allocation may overflow}}
80*67e74705SXin Li   int i = 0;
81*67e74705SXin Li   do {
82*67e74705SXin Li     x[i++] = 0;
83*67e74705SXin Li   } while (i < n);
84*67e74705SXin Li   return x;
85*67e74705SXin Li }
86*67e74705SXin Li 
f12(int n)87*67e74705SXin Li void * f12(int n)
88*67e74705SXin Li {
89*67e74705SXin Li   n = (n > 10 ? 10 : n);
90*67e74705SXin Li   int * x = malloc(n * sizeof(int));  // no-warning
91*67e74705SXin Li   for (int i = 0; i < n; i++)
92*67e74705SXin Li     x[i] = i;
93*67e74705SXin Li   return x;
94*67e74705SXin Li }
95*67e74705SXin Li 
96*67e74705SXin Li struct s13
97*67e74705SXin Li {
98*67e74705SXin Li   int n;
99*67e74705SXin Li };
100*67e74705SXin Li 
f13(struct s13 * s)101*67e74705SXin Li void * f13(struct s13 *s)
102*67e74705SXin Li {
103*67e74705SXin Li   if (s->n > 10)
104*67e74705SXin Li     return NULL;
105*67e74705SXin Li   return malloc(s->n * sizeof(int)); // no-warning
106*67e74705SXin Li }
107*67e74705SXin Li 
f14(int n)108*67e74705SXin Li void * f14(int n)
109*67e74705SXin Li {
110*67e74705SXin Li   if (n < 0)
111*67e74705SXin Li     return NULL;
112*67e74705SXin Li   return malloc(n * sizeof(int));  // expected-warning {{the computation of the size of the memory allocation may overflow}}
113*67e74705SXin Li }
114