Merge branch 'main' into aeisenberg/pack/cpp

2026-05-05 05:35:13 +02:00 · 2021-08-17 15:28:47 -07:00
parent 88ceb42356 88372df125
commit 03d6b15401
273 changed files with 9850 additions and 3110 deletions
--- a/cpp/ql/src/experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql
@@ -163,4 +163,5 @@ where
    or
    eots.dangerousCrementChanges()
  )
-select eots, "This expression may have undefined behavior."
+select eots,
+  "This expression may have undefined behavior, because the order of evaluation is not specified."
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-758/semmle/tests/UndefinedOrImplementationDefinedBehavior.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-758/semmle/tests/UndefinedOrImplementationDefinedBehavior.expected
@@ -1,3 +1,3 @@
-| test.c:13:10:13:21 | call to tmpFunction1 | This expression may have undefined behavior. |
-| test.c:13:30:13:41 | call to tmpFunction2 | This expression may have undefined behavior. |
-| test.c:16:15:16:20 | ... ++ | This expression may have undefined behavior. |
+| test.c:13:10:13:21 | call to tmpFunction1 | This expression may have undefined behavior, because the order of evaluation is not specified. |
+| test.c:13:30:13:41 | call to tmpFunction2 | This expression may have undefined behavior, because the order of evaluation is not specified. |
+| test.c:16:15:16:20 | ... ++ | This expression may have undefined behavior, because the order of evaluation is not specified. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/test_buffer_overrun.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/test_buffer_overrun.cpp
@@ -0,0 +1,39 @@
+typedef unsigned char uint8_t;
+#define SIZE (32)
+
+void test_buffer_overrun_in_for_loop()
+{
+    uint8_t data[SIZE] = {0};
+    for (int x = 0; x < SIZE * 2; x++) {
+        data[x] = 0x41; // BAD [NOT DETECTED]
+    }
+}
+
+void test_buffer_overrun_in_while_loop_using_pointer_arithmetic()
+{
+    uint8_t data[SIZE] = {0};
+    int offset = 0;
+    while (offset < SIZE * 2) {
+        *(data + offset) = 0x41; // BAD [NOT DETECTED]
+        offset++;
+    }
+}
+
+void test_buffer_overrun_in_while_loop_using_array_indexing()
+{
+    uint8_t data[SIZE] = {0};
+    int offset = 0;
+    while (offset < SIZE * 2) {
+        data[offset] = 0x41; // BAD [NOT DETECTED]
+        offset++;
+    }
+}
+
+int main(int argc, char *argv[])
+{
+    test_buffer_overrun_in_for_loop();
+    test_buffer_overrun_in_while_loop_using_pointer_arithmetic();
+    test_buffer_overrun_in_while_loop_using_array_indexing();
+
+    return 0;
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
@@ -114,7 +114,7 @@ void test6(bool cond)
 	
 	c = 100;
 	buffer[c] = 'x'; // BAD: over-write [NOT DETECTED]
-	ch = buffer[c]; // BAD: under-read [NOT DETECTED]
+	ch = buffer[c]; // BAD: over-read [NOT DETECTED]

 	d = 0;
 	d = 1000;