Add filter and format the query

2026-05-02 04:05:14 +02:00 · 2021-09-15 10:37:40 +02:00
parent cf40d0ae4d
commit 01a06d1f5c
1 changed files with 13 additions and 10 deletions
--- a/cpp/ql/src/experimental/Security/CWE/CWE-787/UnsignedToSignedPointerArith.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-787/UnsignedToSignedPointerArith.ql
@@ -15,13 +15,16 @@ import semmle.code.cpp.security.Overflow

 from FunctionCall call, Function f, Parameter p, DataFlow::Node sink, PointerArithmeticOperation pao
 where
-f = call.getTarget() and
-p = f.getAParameter() and
-p.getUnspecifiedType().(IntegralType).isSigned() and
-call.getArgument(p.getIndex()).getUnspecifiedType().(IntegralType).isUnsigned() and
-pao.getAnOperand() = sink.asExpr() and
-not exists(Operation a | guardedLesser(a, sink.asExpr())) and
-not exists(Operation b | guardedGreater(b, call.getArgument(p.getIndex()))) and
-not call.getArgument(p.getIndex()).isConstant() and
-DataFlow::localFlow(DataFlow::parameterNode(p), sink)
-select call, "This call: $@  passes an unsigned int to a function that requires a signed int: $@. And then used in pointer arithmetic: $@", call, call.toString(), f, f.toString(), sink, sink.toString()
+  f = call.getTarget() and
+  p = f.getAParameter() and
+  p.getUnspecifiedType().(IntegralType).isSigned() and
+  call.getArgument(p.getIndex()).getUnspecifiedType().(IntegralType).isUnsigned() and
+  pao.getAnOperand() = sink.asExpr() and
+  not exists(Operation a | guardedLesser(a, sink.asExpr())) and
+  not exists(Operation b | guardedGreater(b, call.getArgument(p.getIndex()))) and
+  not call.getArgument(p.getIndex()).isConstant() and
+  DataFlow::localFlow(DataFlow::parameterNode(p), sink) and
+  p.getUnspecifiedType().getSize() < 8
+select call,
+  "This call: $@  passes an unsigned int to a function that requires a signed int: $@. And then used in pointer arithmetic: $@",
+  call, call.toString(), f, f.toString(), sink, sink.toString()