MallocOverflow works in two phases:
- Collects suspicious malloc calls, whose argument is a multiplication
- Filters the aggregated list of suspicious malloc calls by iterating over the BasicBlocks of the CFG looking for comparison binary operators over the variable constituting in any suspicious malloc.
Consequently, it suppressed true-positive cases when the comparison check was after the malloc call.
In this patch, the checker will consider the relative position of the relation check to the malloc call.
E.g.:
void *check_after_malloc(int n, int x) { int *p = NULL; if (x == 42) p = malloc(n * sizeof(int)); // Previously **no** warning, now it // warns about this. // The check is after the allocation! if (n > 10) { // Do something conditionally. } return p; }