[clang] [analyzer] Fix core.VLASize checker false positive taint reports (PR #68140)

via cfe-commits Fri, 23 Feb 2024 01:27:01 -0800

================
@@ -229,6 +228,28 @@ Check for declarations of Variable Length Arrays of 
undefined or zero size.
    int vla2[x]; // warn: zero size
  }
 
+
+The checker also gives warning if the `TaintPropagation` checker is switched on
+and an unbound, attacker controlled (tainted) value is used to define
+the size of the VLA.
+
+.. code-block:: c
+
+ void taintedVLA(void) {
+   int x;
+   scanf("%d", &x);
+   int vla[x]; // Declared variable-length array (VLA) has a tainted (attacker 
controlled) size, that can be 0 or negative
+ }
+
+ void taintedVerfieidVLA(void) {
+   int x;
+   scanf("%d", &x);
+   if (x<1)
+     return;
+   int vla[x]; // no-warning. The analyzer can prove that the x can only be 
positive.
----------------
NagyDonat wrote:


```suggestion
   int vla[x]; // no-warning. The analyzer can prove that x must be positive.
```
`the x` was very strange.

https://github.com/llvm/llvm-project/pull/68140
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Fix core.VLASize checker false positive taint reports (PR #68140)

Reply via email to