Use upperbound instead of offset to check if the extent of memory region
being accessed is tainted or not.
Original author: steakhal
add analyzer tag
Could you please explain why we change rawOffset to *upperBoundToCheck? And perhaps the same explanation could infiltrate into the checker's code itself as a comment to upperbound.
Could we get rid of the seemingly unrelated malloc taint report by using an array on the stack?
In the test attached you can see that the extent is tainted, not the offset.
Thus checking the offset for taint won't suffice.
The bug condition should depend on the calculation itself, which is basically what is done here.
No, we need the extent to be tainted.
Okay makes sense, but then please update the comment
// If we are under constrained and the index variables are tainted, report.
to mention the extent as well.