Merge branch 'master' into model-gets

2026-04-30 03:05:15 +02:00 · 2020-03-16 15:12:36 +00:00
parent c641a31640 17c57dcb4c
commit 034f7cc948
655 changed files with 27519 additions and 12186 deletions
--- a/cpp/ql/test/query-tests/Critical/NewFree/NewFreeMismatch.expected
+++ b/cpp/ql/test/query-tests/Critical/NewFree/NewFreeMismatch.expected
@@ -1,3 +1,5 @@
+| test2.cpp:19:3:19:6 | call to free | There is a new/free mismatch between this free and the corresponding $@. | test2.cpp:18:12:18:18 | new | new |
+| test2.cpp:26:3:26:6 | call to free | There is a new/free mismatch between this free and the corresponding $@. | test2.cpp:25:7:25:13 | new | new |
 | test.cpp:36:2:36:17 | delete | There is a malloc/delete mismatch between this delete and the corresponding $@. | test.cpp:27:18:27:23 | call to malloc | malloc |
 | test.cpp:41:2:41:5 | call to free | There is a new/free mismatch between this free and the corresponding $@. | test.cpp:26:7:26:17 | new | new |
 | test.cpp:68:3:68:11 | delete | There is a malloc/delete mismatch between this delete and the corresponding $@. | test.cpp:64:28:64:33 | call to malloc | malloc |
--- a/cpp/ql/test/query-tests/Critical/NewFree/test2.cpp
+++ b/cpp/ql/test/query-tests/Critical/NewFree/test2.cpp
@@ -0,0 +1,36 @@
+// semmle-extractor-options: -std=gnu++14
+
+typedef unsigned long size_t;
+
+void *malloc(size_t size);
+void free(void *ptr);
+
+void* operator new(size_t _Size, void *_Where);
+
+// ---
+
+template<typename T>
+class MyTest2Class
+{
+public:
+	MyTest2Class()
+	{
+		int *a = new int;
+		free(a); // BAD
+
+		int *ptr_b = (int *)malloc(sizeof(int));
+		int *b = new(ptr_b) int;
+		free(b); // GOOD
+
+		c = new int;
+		free(c); // BAD
+
+		int *ptr_d = (int *)malloc(sizeof(int));
+		d = new(ptr_d) int;
+		free(d); // GOOD
+	}
+
+	int *c, *d;
+};
+
+MyTest2Class<int> mt2c_i;
--- a/Bugs/Arithmetic/PointlessComparison/PointlessComparison.cpp
+++ b/Bugs/Arithmetic/PointlessComparison/PointlessComparison.cpp
@@ -0,0 +1,29 @@
+void func_with_default_arg(const int n = 0) {
+    if(n <= 10) {}
+}
+
+struct A {
+    const int int_member = 0;
+    A(int n) : int_member(n) {
+        if(int_member <= 10) {
+                    
+        }
+    }
+};
+
+struct B {
+    B(const int n = 0) {
+        if(n <= 10) {}
+    }
+};
+
+const volatile int volatile_const_global = 0;
+
+void test1() {
+    func_with_default_arg(100);
+
+    A a(100);
+    if(a.int_member <= 10) {}
+
+    if(volatile_const_global <= 10) {}
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.c
@@ -146,19 +146,21 @@ int main(int argc, char **argv) {

 	// BAD: i8 value comes from argv
 	char *i8;
-	*(&i8 + 1) = argv[1];
+	*(&i8) = argv[1];
 	printf(i8);
 	printWrapper(i8);

 	// BAD: i9 value comes from argv
-	char *i9;
-	memcpy(1 ? i9++ : 0, argv[1], 1);
+	char i9buf[32];
+	char *i9 = i9buf;
+	memcpy(1 ? ++i9 : 0, argv[1], 1);
 	printf(i9);
 	printWrapper(i9);

 	// BAD: i91 value comes from argv
-	char *i91;
-	memcpy(0 ? 0 : (char *)((int) i91 * 2), argv[1], 1);
+	char i91buf[64];
+	char *i91 = &i91buf[0];
+	memcpy(0 ? 0 : i91, argv[1] + 1, 1);
 	printf(i91);
 	printWrapper(i91);

--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected
@@ -18,5 +18,11 @@
 | argvLocal.c:136:15:136:18 | -- ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
 | argvLocal.c:144:9:144:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
 | argvLocal.c:145:15:145:16 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
-| argvLocal.c:167:18:167:20 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:166:18:166:21 | argv | argv |
-| argvLocal.c:168:24:168:26 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:166:18:166:21 | argv | argv |
+| argvLocal.c:150:9:150:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:149:11:149:14 | argv | argv |
+| argvLocal.c:151:15:151:16 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:149:11:149:14 | argv | argv |
+| argvLocal.c:157:9:157:10 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:156:23:156:26 | argv | argv |
+| argvLocal.c:158:15:158:16 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:156:23:156:26 | argv | argv |
+| argvLocal.c:164:9:164:11 | i91 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:163:22:163:25 | argv | argv |
+| argvLocal.c:165:15:165:17 | i91 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:163:22:163:25 | argv | argv |
+| argvLocal.c:169:18:169:20 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:168:18:168:21 | argv | argv |
+| argvLocal.c:170:24:170:26 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:168:18:168:21 | argv | argv |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@@ -6,3 +6,4 @@
 | test.cpp:49:17:49:30 | new[] | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:52:21:52:27 | call to realloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
+| test.cpp:127:17:127:22 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:123:25:123:30 | call to getenv | user input (getenv) |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
@@ -105,3 +105,24 @@ void processFile()
 		fclose(f);
 	}
 }
+
+char *getenv(const char *name);
+
+#define MAX_SIZE 500
+
+int bounded(int x, int limit) {
+  int result = x;
+  if (x <= 0)
+    result = 1;
+  else if (x > limit)
+    result = limit;
+  return result;
+}
+
+void open_file_bounded () {
+	int size = size = atoi(getenv("USER"));
+	int bounded_size = bounded(size, MAX_SIZE);
+	
+	int* a = (int*)malloc(bounded_size); // GOOD
+	int* b = (int*)malloc(size); // BAD
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/wider_type/test.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/wider_type/test.c
@@ -69,3 +69,10 @@ void test10(int x) {
 		} while (0);
 	}
 }
+
+extern const int const256;
+
+void test11() {
+	short s;
+	for(s = 0; s < const256; ++s) {}
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/wider_type/test2.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/wider_type/test2.c
@@ -0,0 +1 @@
+const int const256 = 256;