1//=-- asan_str_test.cpp ---------------------------------------------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file is a part of AddressSanitizer, an address sanity checker.
10//
11//===----------------------------------------------------------------------===//
12#include "asan_test_utils.h"
13
14#if defined(__APPLE__)
15#include <AvailabilityMacros.h> // For MAC_OS_X_VERSION_*
16#endif
17
18// Used for string functions tests
19static char global_string[] = "global";
20static size_t global_string_length = 6;
21
22const char kStackReadUnderflow[] =
23#if !GTEST_USES_SIMPLE_RE
24 ASAN_PCRE_DOTALL
25 "READ.*"
26#endif
27 "underflows this variable";
28const char kStackReadOverflow[] =
29#if !GTEST_USES_SIMPLE_RE
30 ASAN_PCRE_DOTALL
31 "READ.*"
32#endif
33 "overflows this variable";
34
35namespace {
36enum class OOBKind {
37 Heap,
38 Stack,
39 Global,
40};
41
42std::string LeftOOBReadMessage(OOBKind oob_kind, int oob_distance) {
43 return oob_kind == OOBKind::Stack ? kStackReadUnderflow
44 : ::LeftOOBReadMessage(oob_distance);
45}
46
47std::string RightOOBReadMessage(OOBKind oob_kind, int oob_distance) {
48 return oob_kind == OOBKind::Stack ? kStackReadOverflow
49 : ::RightOOBReadMessage(oob_distance);
50}
51} // namespace
52
53// Input to a test is a zero-terminated string str with given length
54// Accesses to the bytes before and after str
55// are presumed to produce OOB errors
56void StrLenOOBTestTemplate(char *str, size_t length, OOBKind oob_kind) {
57 // Normal strlen calls
58 EXPECT_EQ(strlen(s: str), length);
59 if (length > 0) {
60 EXPECT_EQ(length - 1, strlen(s: str + 1));
61 EXPECT_EQ(0U, strlen(s: str + length));
62 }
63 // Arg of strlen is not malloced, OOB access
64 if (oob_kind != OOBKind::Global) {
65 // We don't insert RedZones before global variables
66 EXPECT_DEATH(Ident(strlen(str - 1)), LeftOOBReadMessage(oob_kind, 1));
67 EXPECT_DEATH(Ident(strlen(str - 5)), LeftOOBReadMessage(oob_kind, 5));
68 }
69 EXPECT_DEATH(Ident(strlen(str + length + 1)),
70 RightOOBReadMessage(oob_kind, 0));
71 // Overwrite terminator
72 str[length] = 'a';
73 // String is not zero-terminated, strlen will lead to OOB access
74 EXPECT_DEATH(Ident(strlen(str)), RightOOBReadMessage(oob_kind, 0));
75 EXPECT_DEATH(Ident(strlen(str + length)), RightOOBReadMessage(oob_kind, 0));
76 // Restore terminator
77 str[length] = 0;
78}
79TEST(AddressSanitizer, StrLenOOBTest) {
80 // Check heap-allocated string
81 size_t length = Ident(10);
82 char *heap_string = Ident((char*)malloc(size: length + 1));
83 char stack_string[10 + 1];
84 break_optimization(&stack_string);
85 for (size_t i = 0; i < length; i++) {
86 heap_string[i] = 'a';
87 stack_string[i] = 'b';
88 }
89 heap_string[length] = 0;
90 stack_string[length] = 0;
91 StrLenOOBTestTemplate(str: heap_string, length, oob_kind: OOBKind::Heap);
92 StrLenOOBTestTemplate(str: stack_string, length, oob_kind: OOBKind::Stack);
93 StrLenOOBTestTemplate(str: global_string, length: global_string_length, oob_kind: OOBKind::Global);
94 free(ptr: heap_string);
95}
96
97// 32-bit android libc++-based NDK toolchain links wcslen statically, disabling
98// the interceptor.
99#if !defined(__ANDROID__) || defined(__LP64__)
100TEST(AddressSanitizer, WcsLenTest) {
101 EXPECT_EQ(0U, wcslen(Ident(L"")));
102 size_t hello_len = 13;
103 size_t hello_size = (hello_len + 1) * sizeof(wchar_t);
104 EXPECT_EQ(hello_len, wcslen(Ident(L"Hello, World!")));
105 wchar_t *heap_string = Ident((wchar_t*)malloc(size: hello_size));
106 memcpy(dest: heap_string, src: L"Hello, World!", n: hello_size);
107 EXPECT_EQ(hello_len, Ident(wcslen(heap_string)));
108 EXPECT_DEATH(Ident(wcslen(heap_string + 14)), RightOOBReadMessage(0));
109 free(ptr: heap_string);
110}
111#endif
112
113// This test fails on MinGW-w64 because it still ships a static copy of strnlen
114// despite it being available from UCRT.
115#if defined(__MINGW32__)
116# define MAYBE_StrNLenOOBTest DISABLED_StrNLenOOBTest
117#else
118# define MAYBE_StrNLenOOBTest StrNLenOOBTest
119#endif
120
121#if SANITIZER_TEST_HAS_STRNLEN
122TEST(AddressSanitizer, MAYBE_StrNLenOOBTest) {
123 size_t size = Ident(123);
124 char *str = MallocAndMemsetString(size);
125 // Normal strnlen calls.
126 Ident(strnlen(str - 1, 0));
127 Ident(strnlen(str, size));
128 Ident(strnlen(str + size - 1, 1));
129 str[size - 1] = '\0';
130 Ident(strnlen(str, 2 * size));
131 // Argument points to not allocated memory.
132 EXPECT_DEATH(Ident(strnlen(str - 1, 1)), LeftOOBReadMessage(1));
133 EXPECT_DEATH(Ident(strnlen(str + size, 1)), RightOOBReadMessage(0));
134 // Overwrite the terminating '\0' and hit unallocated memory.
135 str[size - 1] = 'z';
136 EXPECT_DEATH(Ident(strnlen(str, size + 1)), RightOOBReadMessage(0));
137 free(str);
138}
139#endif // SANITIZER_TEST_HAS_STRNLEN
140
141// This test fails with the WinASan dynamic runtime because we fail to intercept
142// strdup.
143#if (defined(_MSC_VER) && defined(_DLL)) || defined(__MINGW32__)
144# define MAYBE_StrDupOOBTest DISABLED_StrDupOOBTest
145#else
146# define MAYBE_StrDupOOBTest StrDupOOBTest
147#endif
148
149TEST(AddressSanitizer, MAYBE_StrDupOOBTest) {
150 size_t size = Ident(42);
151 char *str = MallocAndMemsetString(size);
152 char *new_str;
153 // Normal strdup calls.
154 str[size - 1] = '\0';
155 new_str = strdup(s: str);
156 free(ptr: new_str);
157 new_str = strdup(s: str + size - 1);
158 free(ptr: new_str);
159 // Argument points to not allocated memory.
160 EXPECT_DEATH(Ident(strdup(str - 1)), LeftOOBReadMessage(1));
161 EXPECT_DEATH(Ident(strdup(str + size)), RightOOBReadMessage(0));
162 // Overwrite the terminating '\0' and hit unallocated memory.
163 str[size - 1] = 'z';
164 EXPECT_DEATH(Ident(strdup(str)), RightOOBReadMessage(0));
165 free(ptr: str);
166}
167
168#if SANITIZER_TEST_HAS_STRNDUP
169TEST(AddressSanitizer, MAYBE_StrNDupOOBTest) {
170 size_t size = Ident(42);
171 char *str = MallocAndMemsetString(size);
172 char *new_str;
173 // Normal strndup calls.
174 str[size - 1] = '\0';
175 new_str = strndup(str, size - 13);
176 free(new_str);
177 new_str = strndup(str + size - 1, 13);
178 free(new_str);
179 // Argument points to not allocated memory.
180 EXPECT_DEATH(Ident(strndup(str - 1, 13)), LeftOOBReadMessage(1));
181 EXPECT_DEATH(Ident(strndup(str + size, 13)), RightOOBReadMessage(0));
182 // Overwrite the terminating '\0' and hit unallocated memory.
183 str[size - 1] = 'z';
184 EXPECT_DEATH(Ident(strndup(str, size + 13)), RightOOBReadMessage(0));
185 // Check handling of non 0 terminated strings.
186 Ident(new_str = strndup(str + size - 1, 0));
187 free(new_str);
188 Ident(new_str = strndup(str + size - 1, 1));
189 free(new_str);
190 EXPECT_DEATH(Ident(strndup(str + size - 1, 2)), RightOOBReadMessage(0));
191 free(str);
192}
193#endif // SANITIZER_TEST_HAS_STRNDUP
194
195TEST(AddressSanitizer, StrCpyOOBTest) {
196 size_t to_size = Ident(30);
197 size_t from_size = Ident(6); // less than to_size
198 char *to = Ident((char*)malloc(size: to_size));
199 char *from = Ident((char*)malloc(size: from_size));
200 // Normal strcpy calls.
201 strcpy(dest: from, src: "hello");
202 strcpy(dest: to, src: from);
203 strcpy(dest: to + to_size - from_size, src: from);
204 // Length of "from" is too small.
205 EXPECT_DEATH(Ident(strcpy(from, "hello2")), RightOOBWriteMessage(0));
206 // "to" or "from" points to not allocated memory.
207 EXPECT_DEATH(Ident(strcpy(to - 1, from)), LeftOOBWriteMessage(1));
208 EXPECT_DEATH(Ident(strcpy(to, from - 1)), LeftOOBReadMessage(1));
209 EXPECT_DEATH(Ident(strcpy(to, from + from_size)), RightOOBReadMessage(0));
210 EXPECT_DEATH(Ident(strcpy(to + to_size, from)), RightOOBWriteMessage(0));
211 // Overwrite the terminating '\0' character and hit unallocated memory.
212 from[from_size - 1] = '!';
213 EXPECT_DEATH(Ident(strcpy(to, from)), RightOOBReadMessage(0));
214 free(ptr: to);
215 free(ptr: from);
216}
217
218TEST(AddressSanitizer, StrNCpyOOBTest) {
219 size_t to_size = Ident(20);
220 size_t from_size = Ident(6); // less than to_size
221 char *to = Ident((char*)malloc(size: to_size));
222 // From is a zero-terminated string "hello\0" of length 6
223 char *from = Ident((char*)malloc(size: from_size));
224 strcpy(dest: from, src: "hello");
225 // copy 0 bytes
226 strncpy(dest: to, src: from, n: 0);
227 strncpy(dest: to - 1, src: from - 1, n: 0);
228 // normal strncpy calls
229 strncpy(dest: to, src: from, n: from_size);
230 strncpy(dest: to, src: from, n: to_size);
231 strncpy(dest: to, src: from + from_size - 1, n: to_size);
232 strncpy(dest: to + to_size - 1, src: from, n: 1);
233 // One of {to, from} points to not allocated memory
234 EXPECT_DEATH(Ident(strncpy(to, from - 1, from_size)),
235 LeftOOBReadMessage(1));
236 EXPECT_DEATH(Ident(strncpy(to - 1, from, from_size)),
237 LeftOOBWriteMessage(1));
238 EXPECT_DEATH(Ident(strncpy(to, from + from_size, 1)),
239 RightOOBReadMessage(0));
240 EXPECT_DEATH(Ident(strncpy(to + to_size, from, 1)),
241 RightOOBWriteMessage(0));
242 // Length of "to" is too small
243 EXPECT_DEATH(Ident(strncpy(to + to_size - from_size + 1, from, from_size)),
244 RightOOBWriteMessage(0));
245 EXPECT_DEATH(Ident(strncpy(to + 1, from, to_size)),
246 RightOOBWriteMessage(0));
247 // Overwrite terminator in from
248 from[from_size - 1] = '!';
249 // normal strncpy call
250 strncpy(dest: to, src: from, n: from_size);
251 // Length of "from" is too small
252 EXPECT_DEATH(Ident(strncpy(to, from, to_size)),
253 RightOOBReadMessage(0));
254 free(ptr: to);
255 free(ptr: from);
256}
257
258// Users may have different definitions of "strchr" and "index", so provide
259// function pointer typedefs and overload RunStrChrTest implementation.
260// We can't use macro for RunStrChrTest body here, as this macro would
261// confuse EXPECT_DEATH gtest macro.
262typedef char*(*PointerToStrChr1)(const char*, int);
263typedef char*(*PointerToStrChr2)(char*, int);
264
265template<typename StrChrFn>
266static void RunStrChrTestImpl(StrChrFn *StrChr) {
267 size_t size = Ident(100);
268 char *str = MallocAndMemsetString(size);
269 str[10] = 'q';
270 str[11] = '\0';
271 EXPECT_EQ(str, StrChr(str, 'z'));
272 EXPECT_EQ(str + 10, StrChr(str, 'q'));
273 EXPECT_EQ(NULL, StrChr(str, 'a'));
274 // StrChr argument points to not allocated memory.
275 EXPECT_DEATH(Ident(StrChr(str - 1, 'z')), LeftOOBReadMessage(1));
276 EXPECT_DEATH(Ident(StrChr(str + size, 'z')), RightOOBReadMessage(0));
277 // Overwrite the terminator and hit not allocated memory.
278 str[11] = 'z';
279 EXPECT_DEATH(Ident(StrChr(str, 'a')), RightOOBReadMessage(0));
280 free(ptr: str);
281}
282
283// Prefer to use the standard signature if both are available.
284UNUSED static void RunStrChrTest(PointerToStrChr1 StrChr, ...) {
285 RunStrChrTestImpl(StrChr);
286}
287UNUSED static void RunStrChrTest(PointerToStrChr2 StrChr, int) {
288 RunStrChrTestImpl(StrChr);
289}
290
291TEST(AddressSanitizer, StrChrAndIndexOOBTest) {
292 RunStrChrTest(&strchr, 0);
293// No index() on Windows and on Android L.
294#if !defined(_WIN32) && !defined(__ANDROID__)
295 RunStrChrTest(StrChr: &index, 0);
296#endif
297}
298
299TEST(AddressSanitizer, StrCmpAndFriendsLogicTest) {
300 // strcmp
301 EXPECT_EQ(0, strcmp(s1: "", s2: ""));
302 EXPECT_EQ(0, strcmp(s1: "abcd", s2: "abcd"));
303 EXPECT_GT(0, strcmp(s1: "ab", s2: "ac"));
304 EXPECT_GT(0, strcmp(s1: "abc", s2: "abcd"));
305 EXPECT_LT(0, strcmp(s1: "acc", s2: "abc"));
306 EXPECT_LT(0, strcmp(s1: "abcd", s2: "abc"));
307
308 // strncmp
309 EXPECT_EQ(0, strncmp(s1: "a", s2: "b", n: 0));
310 EXPECT_EQ(0, strncmp(s1: "abcd", s2: "abcd", n: 10));
311 EXPECT_EQ(0, strncmp(s1: "abcd", s2: "abcef", n: 3));
312 EXPECT_GT(0, strncmp(s1: "abcde", s2: "abcfa", n: 4));
313 EXPECT_GT(0, strncmp(s1: "a", s2: "b", n: 5));
314 EXPECT_GT(0, strncmp(s1: "bc", s2: "bcde", n: 4));
315 EXPECT_LT(0, strncmp(s1: "xyz", s2: "xyy", n: 10));
316 EXPECT_LT(0, strncmp(s1: "baa", s2: "aaa", n: 1));
317 EXPECT_LT(0, strncmp(s1: "zyx", s2: "", n: 2));
318
319#if !defined(_WIN32) // no str[n]casecmp on Windows.
320 // strcasecmp
321 EXPECT_EQ(0, strcasecmp(s1: "", s2: ""));
322 EXPECT_EQ(0, strcasecmp(s1: "zzz", s2: "zzz"));
323 EXPECT_EQ(0, strcasecmp(s1: "abCD", s2: "ABcd"));
324 EXPECT_GT(0, strcasecmp(s1: "aB", s2: "Ac"));
325 EXPECT_GT(0, strcasecmp(s1: "ABC", s2: "ABCd"));
326 EXPECT_LT(0, strcasecmp(s1: "acc", s2: "abc"));
327 EXPECT_LT(0, strcasecmp(s1: "ABCd", s2: "abc"));
328
329 // strncasecmp
330 EXPECT_EQ(0, strncasecmp(s1: "a", s2: "b", n: 0));
331 EXPECT_EQ(0, strncasecmp(s1: "abCD", s2: "ABcd", n: 10));
332 EXPECT_EQ(0, strncasecmp(s1: "abCd", s2: "ABcef", n: 3));
333 EXPECT_GT(0, strncasecmp(s1: "abcde", s2: "ABCfa", n: 4));
334 EXPECT_GT(0, strncasecmp(s1: "a", s2: "B", n: 5));
335 EXPECT_GT(0, strncasecmp(s1: "bc", s2: "BCde", n: 4));
336 EXPECT_LT(0, strncasecmp(s1: "xyz", s2: "xyy", n: 10));
337 EXPECT_LT(0, strncasecmp(s1: "Baa", s2: "aaa", n: 1));
338 EXPECT_LT(0, strncasecmp(s1: "zyx", s2: "", n: 2));
339#endif
340
341 // memcmp
342 EXPECT_EQ(0, memcmp(s1: "a", s2: "b", n: 0));
343 EXPECT_EQ(0, memcmp(s1: "ab\0c", s2: "ab\0c", n: 4));
344 EXPECT_GT(0, memcmp(s1: "\0ab", s2: "\0ac", n: 3));
345 EXPECT_GT(0, memcmp(s1: "abb\0", s2: "abba", n: 4));
346 EXPECT_LT(0, memcmp(s1: "ab\0cd", s2: "ab\0c\0", n: 5));
347 EXPECT_LT(0, memcmp(s1: "zza", s2: "zyx", n: 3));
348}
349
350typedef int(*PointerToStrCmp)(const char*, const char*);
351void RunStrCmpTest(PointerToStrCmp StrCmp) {
352 size_t size = Ident(100);
353 int fill = 'o';
354 char *s1 = MallocAndMemsetString(size, ch: fill);
355 char *s2 = MallocAndMemsetString(size, ch: fill);
356 s1[size - 1] = '\0';
357 s2[size - 1] = '\0';
358 // Normal StrCmp calls
359 Ident(StrCmp(s1, s2));
360 Ident(StrCmp(s1, s2 + size - 1));
361 Ident(StrCmp(s1 + size - 1, s2 + size - 1));
362 // One of arguments points to not allocated memory.
363 EXPECT_DEATH(Ident(StrCmp)(s1 - 1, s2), LeftOOBReadMessage(1));
364 EXPECT_DEATH(Ident(StrCmp)(s1, s2 - 1), LeftOOBReadMessage(1));
365 EXPECT_DEATH(Ident(StrCmp)(s1 + size, s2), RightOOBReadMessage(0));
366 EXPECT_DEATH(Ident(StrCmp)(s1, s2 + size), RightOOBReadMessage(0));
367 // Hit unallocated memory and die.
368 s1[size - 1] = fill;
369 EXPECT_DEATH(Ident(StrCmp)(s1, s1), RightOOBReadMessage(0));
370 EXPECT_DEATH(Ident(StrCmp)(s1 + size - 1, s2), RightOOBReadMessage(0));
371 free(ptr: s1);
372 free(ptr: s2);
373}
374
375TEST(AddressSanitizer, StrCmpOOBTest) {
376 RunStrCmpTest(StrCmp: &strcmp);
377}
378
379#if !defined(_WIN32) // no str[n]casecmp on Windows.
380TEST(AddressSanitizer, StrCaseCmpOOBTest) {
381 RunStrCmpTest(StrCmp: &strcasecmp);
382}
383#endif
384
385typedef int(*PointerToStrNCmp)(const char*, const char*, size_t);
386void RunStrNCmpTest(PointerToStrNCmp StrNCmp) {
387 size_t size = Ident(100);
388 char *s1 = MallocAndMemsetString(size);
389 char *s2 = MallocAndMemsetString(size);
390 s1[size - 1] = '\0';
391 s2[size - 1] = '\0';
392 // Normal StrNCmp calls
393 Ident(StrNCmp(s1, s2, size + 2));
394 s1[size - 1] = 'z';
395 s2[size - 1] = 'x';
396 Ident(StrNCmp(s1 + size - 2, s2 + size - 2, size));
397 s2[size - 1] = 'z';
398 Ident(StrNCmp(s1 - 1, s2 - 1, 0));
399 Ident(StrNCmp(s1 + size - 1, s2 + size - 1, 1));
400 // One of arguments points to not allocated memory.
401 EXPECT_DEATH(Ident(StrNCmp)(s1 - 1, s2, 1), LeftOOBReadMessage(1));
402 EXPECT_DEATH(Ident(StrNCmp)(s1, s2 - 1, 1), LeftOOBReadMessage(1));
403 EXPECT_DEATH(Ident(StrNCmp)(s1 + size, s2, 1), RightOOBReadMessage(0));
404 EXPECT_DEATH(Ident(StrNCmp)(s1, s2 + size, 1), RightOOBReadMessage(0));
405 // Hit unallocated memory and die.
406 EXPECT_DEATH(Ident(StrNCmp)(s1 + 1, s2 + 1, size), RightOOBReadMessage(0));
407 EXPECT_DEATH(Ident(StrNCmp)(s1 + size - 1, s2, 2), RightOOBReadMessage(0));
408 free(ptr: s1);
409 free(ptr: s2);
410}
411
412TEST(AddressSanitizer, StrNCmpOOBTest) {
413 RunStrNCmpTest(StrNCmp: &strncmp);
414}
415
416#if !defined(_WIN32) // no str[n]casecmp on Windows.
417TEST(AddressSanitizer, StrNCaseCmpOOBTest) {
418 RunStrNCmpTest(StrNCmp: &strncasecmp);
419}
420#endif
421
422TEST(AddressSanitizer, StrCatOOBTest) {
423 // strcat() reads strlen(to) bytes from |to| before concatenating.
424 size_t to_size = Ident(100);
425 char *to = MallocAndMemsetString(size: to_size);
426 to[0] = '\0';
427 size_t from_size = Ident(20);
428 char *from = MallocAndMemsetString(size: from_size);
429 from[from_size - 1] = '\0';
430 // Normal strcat calls.
431 strcat(dest: to, src: from);
432 strcat(dest: to, src: from);
433 strcat(dest: to + from_size, src: from + from_size - 2);
434 // Passing an invalid pointer is an error even when concatenating an empty
435 // string.
436 EXPECT_DEATH(strcat(to - 1, from + from_size - 1), LeftOOBAccessMessage(1));
437 // One of arguments points to not allocated memory.
438 EXPECT_DEATH(strcat(to - 1, from), LeftOOBAccessMessage(1));
439 EXPECT_DEATH(strcat(to, from - 1), LeftOOBReadMessage(1));
440 EXPECT_DEATH(strcat(to, from + from_size), RightOOBReadMessage(0));
441
442 // "from" is not zero-terminated.
443 from[from_size - 1] = 'z';
444 EXPECT_DEATH(strcat(to, from), RightOOBReadMessage(0));
445 from[from_size - 1] = '\0';
446 // "to" is too short to fit "from".
447 memset(s: to, c: 'z', n: to_size);
448 to[to_size - from_size + 1] = '\0';
449 EXPECT_DEATH(strcat(to, from), RightOOBWriteMessage(0));
450 // length of "to" is just enough.
451 strcat(dest: to, src: from + 1);
452
453 free(ptr: to);
454 free(ptr: from);
455}
456
457TEST(AddressSanitizer, StrNCatOOBTest) {
458 // strncat() reads strlen(to) bytes from |to| before concatenating.
459 size_t to_size = Ident(100);
460 char *to = MallocAndMemsetString(size: to_size);
461 to[0] = '\0';
462 size_t from_size = Ident(20);
463 char *from = MallocAndMemsetString(size: from_size);
464 // Normal strncat calls.
465 strncat(dest: to, src: from, n: 0);
466 strncat(dest: to, src: from, n: from_size);
467 from[from_size - 1] = '\0';
468 strncat(dest: to, src: from, n: 2 * from_size);
469 strncat(dest: to, src: from + from_size - 1, n: 10);
470 // One of arguments points to not allocated memory.
471 EXPECT_DEATH(strncat(to - 1, from, 2), LeftOOBAccessMessage(1));
472 EXPECT_DEATH(strncat(to, from - 1, 2), LeftOOBReadMessage(1));
473 EXPECT_DEATH(strncat(to, from + from_size, 2), RightOOBReadMessage(0));
474
475 memset(s: from, c: 'z', n: from_size);
476 memset(s: to, c: 'z', n: to_size);
477 to[0] = '\0';
478 // "from" is too short.
479 EXPECT_DEATH(strncat(to, from, from_size + 1), RightOOBReadMessage(0));
480 // "to" is too short to fit "from".
481 to[0] = 'z';
482 to[to_size - from_size + 1] = '\0';
483 EXPECT_DEATH(strncat(to, from, from_size - 1), RightOOBWriteMessage(0));
484 // "to" is just enough.
485 strncat(dest: to, src: from, n: from_size - 2);
486
487 free(ptr: to);
488 free(ptr: from);
489}
490
491static std::string OverlapErrorMessage(const std::string &func) {
492 return func + "-param-overlap";
493}
494
495TEST(AddressSanitizer, StrArgsOverlapTest) {
496 size_t size = Ident(100);
497 char *str = Ident((char*)malloc(size: size));
498
499// Do not check memcpy() on OS X 10.7 and later, where it actually aliases
500// memmove().
501#if !defined(__APPLE__) || !defined(MAC_OS_X_VERSION_10_7) || \
502 (MAC_OS_X_VERSION_MAX_ALLOWED < MAC_OS_X_VERSION_10_7)
503 // Check "memcpy". Use Ident() to avoid inlining.
504#if PLATFORM_HAS_DIFFERENT_MEMCPY_AND_MEMMOVE
505 memset(str, 'z', size);
506 Ident(memcpy)(str + 1, str + 11, 10);
507 Ident(memcpy)(str, str, 0);
508 EXPECT_DEATH(Ident(memcpy)(str, str + 14, 15), OverlapErrorMessage("memcpy"));
509 EXPECT_DEATH(Ident(memcpy)(str + 14, str, 15), OverlapErrorMessage("memcpy"));
510#endif
511#endif
512
513 // We do not treat memcpy with to==from as a bug.
514 // See http://llvm.org/bugs/show_bug.cgi?id=11763.
515 // EXPECT_DEATH(Ident(memcpy)(str + 20, str + 20, 1),
516 // OverlapErrorMessage("memcpy"));
517
518 // Check "strcpy".
519 memset(s: str, c: 'z', n: size);
520 str[9] = '\0';
521 strcpy(dest: str + 10, src: str);
522 EXPECT_DEATH(strcpy(str + 9, str), OverlapErrorMessage("strcpy"));
523 EXPECT_DEATH(strcpy(str, str + 4), OverlapErrorMessage("strcpy"));
524 strcpy(dest: str, src: str + 5);
525
526 // Check "strncpy".
527 memset(s: str, c: 'z', n: size);
528 strncpy(dest: str, src: str + 10, n: 10);
529 EXPECT_DEATH(strncpy(str, str + 9, 10), OverlapErrorMessage("strncpy"));
530 EXPECT_DEATH(strncpy(str + 9, str, 10), OverlapErrorMessage("strncpy"));
531 str[10] = '\0';
532 strncpy(dest: str + 11, src: str, n: 20);
533 EXPECT_DEATH(strncpy(str + 10, str, 20), OverlapErrorMessage("strncpy"));
534
535 // Check "strcat".
536 memset(s: str, c: 'z', n: size);
537 str[10] = '\0';
538 str[20] = '\0';
539 strcat(dest: str, src: str + 10);
540 EXPECT_DEATH(strcat(str, str + 11), OverlapErrorMessage("strcat"));
541 str[10] = '\0';
542 strcat(dest: str + 11, src: str);
543 EXPECT_DEATH(strcat(str, str + 9), OverlapErrorMessage("strcat"));
544 EXPECT_DEATH(strcat(str + 9, str), OverlapErrorMessage("strcat"));
545 EXPECT_DEATH(strcat(str + 10, str), OverlapErrorMessage("strcat"));
546
547 // Check "strncat".
548 memset(s: str, c: 'z', n: size);
549 str[10] = '\0';
550 strncat(dest: str, src: str + 10, n: 10); // from is empty
551 EXPECT_DEATH(strncat(str, str + 11, 10), OverlapErrorMessage("strncat"));
552 str[10] = '\0';
553 str[20] = '\0';
554 strncat(dest: str + 5, src: str, n: 5);
555 str[10] = '\0';
556 EXPECT_DEATH(strncat(str + 5, str, 6), OverlapErrorMessage("strncat"));
557 EXPECT_DEATH(strncat(str, str + 9, 10), OverlapErrorMessage("strncat"));
558
559 free(ptr: str);
560}
561
562typedef void(*PointerToCallAtoi)(const char*);
563
564void RunAtoiOOBTest(PointerToCallAtoi Atoi) {
565 char *array = MallocAndMemsetString(size: 10, ch: '1');
566 // Invalid pointer to the string.
567 EXPECT_DEATH(Atoi(array + 11), RightOOBReadMessage(1));
568 EXPECT_DEATH(Atoi(array - 1), LeftOOBReadMessage(1));
569 // Die if a buffer doesn't have terminating NULL.
570 EXPECT_DEATH(Atoi(array), RightOOBReadMessage(0));
571 // Make last symbol a terminating NULL
572 array[9] = '\0';
573 Atoi(array);
574 // Sometimes we need to detect overflow if no digits are found.
575 memset(s: array, c: ' ', n: 10);
576 EXPECT_DEATH(Atoi(array), RightOOBReadMessage(0));
577 array[9] = '-';
578 EXPECT_DEATH(Atoi(array), RightOOBReadMessage(0));
579 EXPECT_DEATH(Atoi(array + 9), RightOOBReadMessage(0));
580 free(ptr: array);
581}
582
583#if !defined(_WIN32) // FIXME: Fix and enable on Windows.
584void CallAtoi(const char *nptr) {
585 Ident(atoi(nptr: nptr));
586}
587void CallAtol(const char *nptr) {
588 Ident(atol(nptr: nptr));
589}
590void CallAtoll(const char *nptr) {
591 Ident(atoll(nptr: nptr));
592}
593TEST(AddressSanitizer, AtoiAndFriendsOOBTest) {
594 RunAtoiOOBTest(Atoi: &CallAtoi);
595 RunAtoiOOBTest(Atoi: &CallAtol);
596 RunAtoiOOBTest(Atoi: &CallAtoll);
597}
598#endif
599
600typedef void(*PointerToCallStrtol)(const char*, char**, int);
601
602void RunStrtolOOBTest(PointerToCallStrtol Strtol) {
603 char *array = MallocAndMemsetString(size: 3);
604 array[0] = '1';
605 array[1] = '2';
606 array[2] = '3';
607 // Invalid pointer to the string.
608 EXPECT_DEATH(Strtol(array + 3, NULL, 0), RightOOBReadMessage(0));
609 EXPECT_DEATH(Strtol(array - 1, NULL, 0), LeftOOBReadMessage(1));
610 // Buffer overflow if there is no terminating null (depends on base).
611 EXPECT_DEATH(Strtol(array, NULL, 0), RightOOBReadMessage(0));
612 array[2] = 'z';
613 EXPECT_DEATH(Strtol(array, NULL, 36), RightOOBReadMessage(0));
614 // Add terminating zero to get rid of overflow.
615 array[2] = '\0';
616 Strtol(array, NULL, 36);
617 // Sometimes we need to detect overflow if no digits are found.
618 array[0] = array[1] = array[2] = ' ';
619 EXPECT_DEATH(Strtol(array, NULL, 0), RightOOBReadMessage(0));
620 array[2] = '+';
621 EXPECT_DEATH(Strtol(array, NULL, 0), RightOOBReadMessage(0));
622 array[2] = '-';
623 EXPECT_DEATH(Strtol(array, NULL, 0), RightOOBReadMessage(0));
624 free(ptr: array);
625}
626
627#if !defined(_WIN32) // FIXME: Fix and enable on Windows.
628void CallStrtol(const char *nptr, char **endptr, int base) {
629 Ident(strtol(nptr: nptr, endptr: endptr, base: base));
630}
631void CallStrtoll(const char *nptr, char **endptr, int base) {
632 Ident(strtoll(nptr: nptr, endptr: endptr, base: base));
633}
634TEST(AddressSanitizer, StrtollOOBTest) {
635 RunStrtolOOBTest(Strtol: &CallStrtoll);
636}
637TEST(AddressSanitizer, StrtolOOBTest) {
638 RunStrtolOOBTest(Strtol: &CallStrtol);
639}
640#endif
641

source code of compiler-rt/lib/asan/tests/asan_str_test.cpp