Created attachment 10789
Patch for this bug, plus a regression test case
The llvm-3.2 taint engine does not properly taint the results of a gets() call.
Since none of the function arguments are tainted, ProgramStateRef
GenericTaintChecker::TaintPropagationRule::process() bails out early. gets() is
a special case, wherein stdin is implied.
The attached patch includes a fix for this issue and a regression test case.
This fix does slightly change the semantics of TaintPropagationRule, but I
think it maintains correctness.
gets-taint.patch
(2684 bytes, application/octet-stream)