The llvm-3.2 taint engine does not properly taint the results of a gets() call.
Since none of the function arguments are tainted, ProgramStateRef
GenericTaintChecker::TaintPropagationRule::process() bails out early. gets() is a special case, wherein stdin is implied.
The attached patch includes a fix for this issue and a regression test case. This fix does slightly change the semantics of TaintPropagationRule, but I think it maintains correctness.
Extended Description
The llvm-3.2 taint engine does not properly taint the results of a gets() call.
Since none of the function arguments are tainted, ProgramStateRef GenericTaintChecker::TaintPropagationRule::process() bails out early. gets() is a special case, wherein stdin is implied.
The attached patch includes a fix for this issue and a regression test case. This fix does slightly change the semantics of TaintPropagationRule, but I think it maintains correctness.