hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-04 13:15:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #11958 from jketema/argv-if-tests

Browse Source 
C++: Add some additional uncontrolled format string tests
This commit is contained in:
Jeroen Ketema
2023-01-23 14:05:07 +01:00
committed by GitHub
parent 45aaeb897a cfc0dabad9
commit 05ecd2e015
2 changed files with 74 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.c
View File

@@ -168,4 +168,34 @@ int main(int argc, char **argv) {
int i10 = (int) argv[1];
printf((char *) i10);
printWrapper((char *) i10);
// BAD: b value comes from argv
{
char b[64];
char *bp = &b[0];
char *t;
if (0) {
t = 0;
} else {
t = bp;
}
memcpy(t, argv[1] + 1, 1);
printf(bp);
printWrapper(bp);
}
// BAD: b value comes from argv
{
char b[64];
char *bp = &b[0];
char *t;
if (1) {
t = ++bp;
} else {
t = 0;
}
memcpy(t, argv[1] + 1, 1);
printf(bp);
printWrapper(bp);
}
}

44
cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected
View File

@@ -260,6 +260,30 @@ edges
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
| argvLocal.c:182:13:182:16 | argv | argvLocal.c:183:10:183:11 | (const char *)... |
| argvLocal.c:182:13:182:16 | argv | argvLocal.c:183:10:183:11 | (const char *)... |
| argvLocal.c:182:13:182:16 | argv | argvLocal.c:183:10:183:11 | bp |
| argvLocal.c:182:13:182:16 | argv | argvLocal.c:183:10:183:11 | bp |
| argvLocal.c:182:13:182:16 | argv | argvLocal.c:183:10:183:11 | bp indirection |
| argvLocal.c:182:13:182:16 | argv | argvLocal.c:183:10:183:11 | bp indirection |
| argvLocal.c:182:13:182:16 | argv | argvLocal.c:184:16:184:17 | bp |
| argvLocal.c:182:13:182:16 | argv | argvLocal.c:184:16:184:17 | bp |
| argvLocal.c:182:13:182:16 | argv | argvLocal.c:184:16:184:17 | bp |
| argvLocal.c:182:13:182:16 | argv | argvLocal.c:184:16:184:17 | bp |
| argvLocal.c:182:13:182:16 | argv | argvLocal.c:184:16:184:17 | bp indirection |
| argvLocal.c:182:13:182:16 | argv | argvLocal.c:184:16:184:17 | bp indirection |
| argvLocal.c:197:13:197:16 | argv | argvLocal.c:198:10:198:11 | (const char *)... |
| argvLocal.c:197:13:197:16 | argv | argvLocal.c:198:10:198:11 | (const char *)... |
| argvLocal.c:197:13:197:16 | argv | argvLocal.c:198:10:198:11 | bp |
| argvLocal.c:197:13:197:16 | argv | argvLocal.c:198:10:198:11 | bp |
| argvLocal.c:197:13:197:16 | argv | argvLocal.c:198:10:198:11 | bp indirection |
| argvLocal.c:197:13:197:16 | argv | argvLocal.c:198:10:198:11 | bp indirection |
| argvLocal.c:197:13:197:16 | argv | argvLocal.c:199:16:199:17 | bp |
| argvLocal.c:197:13:197:16 | argv | argvLocal.c:199:16:199:17 | bp |
| argvLocal.c:197:13:197:16 | argv | argvLocal.c:199:16:199:17 | bp |
| argvLocal.c:197:13:197:16 | argv | argvLocal.c:199:16:199:17 | bp |
| argvLocal.c:197:13:197:16 | argv | argvLocal.c:199:16:199:17 | bp indirection |
| argvLocal.c:197:13:197:16 | argv | argvLocal.c:199:16:199:17 | bp indirection |
subpaths
| argvLocal.c:102:15:102:16 | i1 indirection | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | ReturnIndirection | argvLocal.c:102:15:102:16 | printWrapper output argument |
| argvLocal.c:107:15:107:19 | access to array indirection | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | ReturnIndirection | argvLocal.c:107:15:107:19 | printWrapper output argument |
@@ -396,6 +420,22 @@ nodes
| argvLocal.c:170:15:170:26 | i10 indirection | semmle.label | i10 indirection |
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
| argvLocal.c:182:13:182:16 | argv | semmle.label | argv |
| argvLocal.c:182:13:182:16 | argv | semmle.label | argv |
| argvLocal.c:183:10:183:11 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:183:10:183:11 | bp | semmle.label | bp |
| argvLocal.c:183:10:183:11 | bp indirection | semmle.label | bp indirection |
| argvLocal.c:184:16:184:17 | bp | semmle.label | bp |
| argvLocal.c:184:16:184:17 | bp | semmle.label | bp |
| argvLocal.c:184:16:184:17 | bp indirection | semmle.label | bp indirection |
| argvLocal.c:197:13:197:16 | argv | semmle.label | argv |
| argvLocal.c:197:13:197:16 | argv | semmle.label | argv |
| argvLocal.c:198:10:198:11 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:198:10:198:11 | bp | semmle.label | bp |
| argvLocal.c:198:10:198:11 | bp indirection | semmle.label | bp indirection |
| argvLocal.c:199:16:199:17 | bp | semmle.label | bp |
| argvLocal.c:199:16:199:17 | bp | semmle.label | bp |
| argvLocal.c:199:16:199:17 | bp indirection | semmle.label | bp indirection |
#select
| argvLocal.c:95:9:95:15 | access to array | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:95:9:95:12 | argv | argv |
| argvLocal.c:96:15:96:21 | access to array | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:96:15:96:18 | argv | argv |
@@ -425,3 +465,7 @@ nodes
| argvLocal.c:165:15:165:17 | i91 | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:163:22:163:25 | argv | argv |
| argvLocal.c:169:18:169:20 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:168:18:168:21 | argv | argv |
| argvLocal.c:170:24:170:26 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:168:18:168:21 | argv | argv |
| argvLocal.c:183:10:183:11 | bp | argvLocal.c:182:13:182:16 | argv | argvLocal.c:183:10:183:11 | bp | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:182:13:182:16 | argv | argv |
| argvLocal.c:184:16:184:17 | bp | argvLocal.c:182:13:182:16 | argv | argvLocal.c:184:16:184:17 | bp | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:182:13:182:16 | argv | argv |
| argvLocal.c:198:10:198:11 | bp | argvLocal.c:197:13:197:16 | argv | argvLocal.c:198:10:198:11 | bp | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:197:13:197:16 | argv | argv |
| argvLocal.c:199:16:199:17 | bp | argvLocal.c:197:13:197:16 | argv | argvLocal.c:199:16:199:17 | bp | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:197:13:197:16 | argv | argv |