[llvm-bugs] [Bug 173113] clang-tidy clang-analyzer TaintedAlloc bug

LLVM Bugs via llvm-bugs Fri, 19 Dec 2025 14:44:01 -0800

Issue	173113
Summary	clang-tidy clang-analyzer TaintedAlloc bug
Labels	clang-tidy
Assignees
Reporter	colin-pm

    I found an issue where TaintedAlloc flags this code

```c
#include <limits.h>
#include <stdlib.h>
#include <unistd.h>


int main()
{
  int groups = getgroups(0, NULL);
  if (groups < 0) {
    return -1;
  }
  if (groups > NGROUPS_MAX) {
    return -1;
  }
  malloc(groups * sizeof(gid_t));
  return 0;
}
```

However, the following code resolves the warning

```c
#include <limits.h>
#include <stdlib.h>
#include <unistd.h>

int main()
{
  int groups = getgroups(0, NULL);
  if (groups < 0) {
    return -1;
  }
  if (groups * sizeof(gid_t) > NGROUPS_MAX * sizeof(gid_t)) {
    return -1;
  }
  malloc(groups * sizeof(gid_t));
 return 0;
}
```

In the second example I essentially have `x * c > y * c`, which is equivalent to `x > y`. I'm just implicitly bounds checking `groups * sizeof(gid_t)` by checking `groups`, knowing that `sizeof(gid_t)` is a constant.

_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

[llvm-bugs] [Bug 173113] clang-tidy clang-analyzer TaintedAlloc bug

Reply via email to