Newer
Older
4001
4002
4003
4004
4005
4006
4007
4008
4009
4010
4011
4012
4013
4014
4015
4016
4017
4018
4019
4020
4021
4022
4023
4024
4025
4026
4027
4028
4029
4030
4031
4032
4033
4034
4035
4036
4037
4038
4039
4040
4041
4042
4043
4044
4045
4046
4047
4048
4049
4050
4051
4052
4053
4054
4055
4056
4057
4058
4059
4060
4061
4062
4063
4064
4065
4066
4067
4068
4069
4070
4071
4072
4073
4074
4075
4076
4077
4078
4079
4080
4081
4082
4083
4084
4085
4086
4087
4088
4089
4090
4091
4092
4093
4094
4095
4096
4097
4098
4099
4100
4101
4102
4103
4104
4105
4106
4107
4108
4109
4110
4111
4112
4113
4114
4115
4116
4117
4118
4119
4120
4121
4122
4123
4124
4125
4126
4127
4128
4129
4130
4131
4132
4133
4134
4135
4136
4137
4138
4139
4140
4141
4142
4143
4144
4145
4146
4147
4148
4149
4150
4151
4152
4153
4154
4155
4156
4157
4158
4159
4160
4161
4162
4163
4164
4165
4166
4167
4168
4169
4170
4171
4172
4173
4174
4175
4176
4177
4178
4179
4180
4181
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("sprintf");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("sscanf");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("vfprintf");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("vprintf");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("vsprintf");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fgetc");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fgets");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_2);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fputc");
MapEntry.second = STARS_ARG_POS_1;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fputs");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("getc");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("gets");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("putc");
MapEntry.second = STARS_ARG_POS_1;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("puts");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("ungetc");
MapEntry.second = STARS_ARG_POS_1;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fread");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_3);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fwrite");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_3);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fgetpos");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fseek");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fsetpos");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("ftell");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("rewind");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("clearerr");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("feof");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("ferror");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("perror");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
// <time.h>
MapEntry.first = string("mktime");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("time");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("asctime");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("ctime");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("gmtime");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("localtime");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("strftime");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_2 | STARS_ARG_POS_3);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
return;
} // end of InitPointerArgPositionMap()
// Return POINTER arg position bitset for call name from the POINTER arg map.
// If we don't find the call name, we return 0 in ArgPosBits.
void GetPointerArgPositionsForCallName(string CalleeName, unsigned int &ArgPosBits) {
map<string, unsigned int>::iterator MapIter;
ArgPosBits = 0; // Change if found later
MapIter = PointerArgPositionMap.find(CalleeName);
if (MapIter != PointerArgPositionMap.end()) { // found it
ArgPosBits = MapIter->second;
}
return;
}
// Utility to count bits set in an unsigned int, e.g. ArgPosBits.
unsigned int CountBitsSet(unsigned int ArgPosBits) {
unsigned int count; // count accumulates the total bits set in ArgPosBits
for (count = 0; ArgPosBits; ++count) {
ArgPosBits &= (ArgPosBits - 1); // clear the least significant bit set
}
// Brian Kernighan's method goes through as many iterations as there are set bits.
// So if we have a 32-bit word with only the high bit set, then it will only go once through the loop.
// Published in 1988, the C Programming Language 2nd Ed. (by Brian W. Kernighan and Dennis M. Ritchie) mentions this in exercise 2-9.
// On April 19, 2006 Don Knuth pointed out to me that this method "was first published by Peter Wegner in CACM 3 (1960), 322.
// (Also discovered independently by Derrick Lehmer and published in 1964 in a book edited by Beckenbach.)"
return count;
}
// Utility to get highest bit set in a byte.
unsigned int HighestBitSet(unsigned char Byte) {
unsigned int RetVal = 0;
if (Byte & 0xf0) { // check upper 4 bits
RetVal |= 4; // at least bit 4 or higher is set
Byte >>= 4; // shift upper nibble to lower nibble
}
if (Byte & 0xc) { // check upper two bits of lower nibble
RetVal |= 2; // At least bit 2 or higher is set
Byte >>= 2; // shift upper two bits of lower nibble into lowest two bits
}
if (Byte & 0x2) { // Check second least significant bit
RetVal |= 1;
}
return RetVal;
}
// Initialize the FG info for the return register from any library function
// whose name implies that we know certain return values (e.g. atoi() returns
// a signed integer, while strtoul() returns an unsigned long).
void GetLibFuncFGInfo(string FuncName, struct FineGrainedInfo &InitFGInfo) {
map<string, struct FineGrainedInfo>::iterator FindIter;
FindIter = ReturnRegisterTypeMap.find(FuncName);
if (FindIter == ReturnRegisterTypeMap.end()) { // not found
InitFGInfo.SignMiscInfo = 0;
InitFGInfo.SizeInfo = 0;
}
else { // found
InitFGInfo = FindIter->second;
}
return;
} // end of GetLibFuncFGInfo()
4232
4233
4234
4235
4236
4237
4238
4239
4240
4241
4242
4243
4244
4245
4246
4247
4248
4249
4250
4251
4252
4253
4254
4255
4256
4257
4258
4259
4260
4261
4262
4263
4264
4265
4266
4267
// Is FuncName a standard library function name?
bool IsLibFuncName(std::string CalleeName) {
// Return true if we find the name in any of our function type maps.
map<string, struct FineGrainedInfo>::iterator RetTypeIter = ReturnRegisterTypeMap.find(CalleeName);
if (RetTypeIter != ReturnRegisterTypeMap.end()) { // found
return true;
}
map<string, unsigned int>::iterator PtrArgIter = PointerArgPositionMap.find(CalleeName);
if (PtrArgIter != PointerArgPositionMap.end()) { // found it
return true;
}
map<string, unsigned int>::iterator TaintIter = TaintWarningArgPositionMap.find(CalleeName);
if (TaintIter != TaintWarningArgPositionMap.end()) { // found it
return true;
}
map<string, unsigned int>::iterator UnsignedIter = UnsignedArgPositionMap.find(CalleeName);
if (UnsignedIter != UnsignedArgPositionMap.end()) { // found it
return true;
}
map<string, string>::iterator SinkIter = IntegerErrorCallSinkMap.find(CalleeName);
if (SinkIter != IntegerErrorCallSinkMap.end()) { // found it
return true;
}
// Put searches for additional library function names here.
if (0 == CalleeName.compare("setuid")) {
return true;
}
return false;
} // end of IsLibFuncName()