Due to a typo, `sprintf()` was recognized as a taint source instead of a
taint propagator. It was because an empty taint source list - which is
the first parameter of the `TaintPropagationRule` - encoded the
unconditional taint sources.
This typo effectively turned the `sprintf()` into an unconditional taint
source.
This patch fixes that typo and demonstrated the correct behavior with
tests.
Reviewed By: martong
Differential Revision: https://reviews.llvm.org/D112558
if (OneOf("snprintf"))
return {{1}, {0, ReturnValueIndex}, VariadicType::Src, 3};
if (OneOf("sprintf"))
- return {{}, {0, ReturnValueIndex}, VariadicType::Src, 2};
+ return {{1}, {0, ReturnValueIndex}, VariadicType::Src, 2};
if (OneOf("strcpy", "stpcpy", "strcat"))
return {{1}, {0, ReturnValueIndex}};
if (OneOf("bcopy"))
*(volatile int *) 0; // no-warning
}
+int sprintf_is_not_a_source(char *buf, char *msg) {
+ int x = sprintf(buf, "%s", msg); // no-warning
+ return 1 / x; // no-warning: 'sprintf' is not a taint source
+}
+
+int sprintf_propagates_taint(char *buf, char *msg) {
+ scanf("%s", msg);
+ int x = sprintf(buf, "%s", msg); // propagate taint!
+ return 1 / x; // expected-warning {{Division by a tainted value, possibly zero}}
+}
// Test configuration
int mySource1();