1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
// Test strict_string_checks option in strtol function
// RUN: %clang_asan -DTEST1 %s -o %t
// RUN: %run %t test1 2>&1
// RUN: env ASAN_OPTIONS=$ASAN_OPTIONS:strict_string_checks=false %run %t test1 2>&1
// RUN: env ASAN_OPTIONS=$ASAN_OPTIONS:strict_string_checks=true not %run %t test1 2>&1 | FileCheck %s --check-prefix=CHECK1
// RUN: %run %t test2 2>&1
// RUN: env ASAN_OPTIONS=$ASAN_OPTIONS:strict_string_checks=false %run %t test2 2>&1
// RUN: env ASAN_OPTIONS=$ASAN_OPTIONS:strict_string_checks=true not %run %t test2 2>&1 | FileCheck %s --check-prefix=CHECK2
// RUN: %run %t test3 2>&1
// RUN: env ASAN_OPTIONS=$ASAN_OPTIONS:strict_string_checks=false %run %t test3 2>&1
// RUN: env ASAN_OPTIONS=$ASAN_OPTIONS:strict_string_checks=true not %run %t test3 2>&1 | FileCheck %s --check-prefix=CHECK3
// RUN: %run %t test4 2>&1
// RUN: env ASAN_OPTIONS=$ASAN_OPTIONS:strict_string_checks=false %run %t test4 2>&1
// RUN: env ASAN_OPTIONS=$ASAN_OPTIONS:strict_string_checks=true not %run %t test4 2>&1 | FileCheck %s --check-prefix=CHECK4
// RUN: %run %t test5 2>&1
// RUN: env ASAN_OPTIONS=$ASAN_OPTIONS:strict_string_checks=false %run %t test5 2>&1
// RUN: env ASAN_OPTIONS=$ASAN_OPTIONS:strict_string_checks=true not %run %t test5 2>&1 | FileCheck %s --check-prefix=CHECK5
// RUN: %run %t test6 2>&1
// RUN: env ASAN_OPTIONS=$ASAN_OPTIONS:strict_string_checks=false %run %t test6 2>&1
// RUN: env ASAN_OPTIONS=$ASAN_OPTIONS:strict_string_checks=true not %run %t test6 2>&1 | FileCheck %s --check-prefix=CHECK6
// RUN: %run %t test7 2>&1
// RUN: env ASAN_OPTIONS=$ASAN_OPTIONS:strict_string_checks=false %run %t test7 2>&1
// RUN: env ASAN_OPTIONS=$ASAN_OPTIONS:strict_string_checks=true not %run %t test7 2>&1 | FileCheck %s --check-prefix=CHECK7
#include <assert.h>
#include <stdlib.h>
#include <string.h>
#include <sanitizer/asan_interface.h>
void test1(char *array, char *endptr) {
// Buffer overflow if there is no terminating null (depends on base)
long r = strtol(array, &endptr, 3);
assert(array + 2 == endptr);
assert(r == 5);
}
void test2(char *array, char *endptr) {
// Buffer overflow if there is no terminating null (depends on base)
array[2] = 'z';
long r = strtol(array, &endptr, 35);
assert(array + 2 == endptr);
assert(r == 37);
}
void test3(char *array, char *endptr) {
// Buffer overflow if base is invalid.
memset(array, 0, 8);
ASAN_POISON_MEMORY_REGION(array, 8);
long r = strtol(array + 1, NULL, -1);
assert(r == 0);
ASAN_UNPOISON_MEMORY_REGION(array, 8);
}
void test4(char *array, char *endptr) {
// Buffer overflow if base is invalid.
long r = strtol(array + 3, NULL, 1);
assert(r == 0);
}
void test5(char *array, char *endptr) {
// Overflow if no digits are found.
array[0] = ' ';
array[1] = '+';
array[2] = '-';
long r = strtol(array, NULL, 0);
assert(r == 0);
}
void test6(char *array, char *endptr) {
// Overflow if no digits are found.
array[0] = ' ';
array[1] = array[2] = 'z';
long r = strtol(array, &endptr, 0);
assert(array == endptr);
assert(r == 0);
}
void test7(char *array, char *endptr) {
// Overflow if no digits are found.
array[2] = 'z';
long r = strtol(array + 2, NULL, 0);
assert(r == 0);
}
int main(int argc, char **argv) {
char *array0 = (char*)malloc(11);
char* array = array0 + 8;
char *endptr = NULL;
array[0] = '1';
array[1] = '2';
array[2] = '3';
if (argc != 2) return 1;
if (!strcmp(argv[1], "test1")) test1(array, endptr);
// CHECK1: {{.*ERROR: AddressSanitizer: heap-buffer-overflow on address}}
// CHECK1: READ of size 4
if (!strcmp(argv[1], "test2")) test2(array, endptr);
// CHECK2: {{.*ERROR: AddressSanitizer: heap-buffer-overflow on address}}
// CHECK2: READ of size 4
if (!strcmp(argv[1], "test3")) test3(array0, endptr);
// CHECK3: {{.*ERROR: AddressSanitizer: use-after-poison on address}}
// CHECK3: READ of size 1
if (!strcmp(argv[1], "test4")) test4(array, endptr);
// CHECK4: {{.*ERROR: AddressSanitizer: heap-buffer-overflow on address}}
// CHECK4: READ of size 1
if (!strcmp(argv[1], "test5")) test5(array, endptr);
// CHECK5: {{.*ERROR: AddressSanitizer: heap-buffer-overflow on address}}
// CHECK5: READ of size 4
if (!strcmp(argv[1], "test6")) test6(array, endptr);
// CHECK6: {{.*ERROR: AddressSanitizer: heap-buffer-overflow on address}}
// CHECK6: READ of size 4
if (!strcmp(argv[1], "test7")) test7(array, endptr);
// CHECK7: {{.*ERROR: AddressSanitizer: heap-buffer-overflow on address}}
// CHECK7: READ of size 2
free(array0);
return 0;
}
|
