proposed new code for added functionality and improvement in Checker GenericTaintChecker and CStringChecker

[llvmbot]

Bugzilla Link	13886
Version	trunk
OS	Linux
Attachments	Patch on version trunk
Reporter	LLVM Bugzilla Contributor
CC	@AnnaZaks

Extended Description

CStringChecker:
Added functionality to detect the memory overflow (src tainted sizeof > dst sizeof) during a memory copy from an input tainted

GenericTaintChecker:
Adding functions propagation: strlen, strtok, fgets
Improvement detect stdin and adding on entry "0"

Removing the removal of the tag propagation on the old element or propagated source...
exemple:
fgets(addr, sizeof(addr), stdin); stdin -> addr(tainted)
sprintf(buffer, "test 1 %s", addr); addr -> buffer(tainted) but with old version, addr no longer had the tag propagation, if it was reused by another copy function then we would not see the spread.

Sorry for my english...

cordially,
Lionel

[llvmbot]

assigned to @tkremenek

[AnnaZaks]

Please, submit your patch by sending an email to cfe-dev mailing list.

I only briefly looked at the patch. It needs some cleanup:

• add test cases to ./test/Analysis
• only comments in English
• remove '//printf()' and other commented out code.
• if getPointedToSymbol needs to be copied from GenericTaintChecker, it probably needs to be factored out into the CheckerContext.

[AnnaZaks]

Also, please, make sure that the regression tests pass:
http://clang-analyzer.llvm.org/checker_dev_manual.html