hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-23 20:26:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update IfStatementAdditionOverflow.ql

Browse Source
This commit is contained in:
Nicky Mouha
2023-02-23 17:50:02 -05:00
committed by GitHub
parent ed75172bdd
commit 08f04d5386
1 changed files with 4 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
cpp/ql/src/experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
View File

@@ -1,13 +1,8 @@
/** /**
* @name Integer addition may overflow inside if statement * @name Integer addition may overflow inside if statement
* @description Detects "if (a+b>c) a=c-b", which incorrectly implements * @description "if (a+b>c) a=c-b" was detected where "a+b" may potentially
* a = min(a,c-b) if a+b overflows. Should be replaced by * produce an integer overflow (or wraparound). The code can be
* "if (a>c-b) a=c-b". Also detects "if (b+a>c) a=c-b" * rewritten to "if (a>c-b) a=c-b" which avoids the overflow.
* (swapped terms in addition), if (a+b>c) { a=c-b }"
* (assignment inside block), "c<a+b" (swapped operands) and
* ">=", "<", "<=" instead of ">" (all operators). This
* integer overflow is the root cause of the buffer overflow
* in the SHA-3 reference implementation (CVE-2022-37454).
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @id cpp/if-statement-addition-overflow * @id cpp/if-statement-addition-overflow
@@ -27,7 +22,6 @@ from IfStmt ifstmt, RelationalOperation relop, ExprStmt exprstmt, BlockStmt bloc
where ifstmt.getCondition() = relop and where ifstmt.getCondition() = relop and
relop.getAnOperand() = addexpr and relop.getAnOperand() = addexpr and
addexpr.getUnspecifiedType() instanceof IntegralType and addexpr.getUnspecifiedType() instanceof IntegralType and
subexpr.getUnspecifiedType() instanceof IntegralType and
not isFromMacroDefinition(relop) and not isFromMacroDefinition(relop) and
exprMightOverflowPositively(addexpr) and exprMightOverflowPositively(addexpr) and
(ifstmt.getThen() = exprstmt or (ifstmt.getThen() = exprstmt or
@@ -39,6 +33,5 @@ where ifstmt.getCondition() = relop and
globalValueNumber(addexpr.getRightOperand()) = globalValueNumber(subexpr.getRightOperand())) or globalValueNumber(addexpr.getRightOperand()) = globalValueNumber(subexpr.getRightOperand())) or
(hashCons(addexpr.getRightOperand()) = hashCons(assignexpr.getLValue()) and (hashCons(addexpr.getRightOperand()) = hashCons(assignexpr.getLValue()) and
globalValueNumber(addexpr.getLeftOperand()) = globalValueNumber(subexpr.getRightOperand()))) and globalValueNumber(addexpr.getLeftOperand()) = globalValueNumber(subexpr.getRightOperand()))) and
globalValueNumber(relop.getAnOperand()) = globalValueNumber(subexpr.getLeftOperand()) and globalValueNumber(relop.getAnOperand()) = globalValueNumber(subexpr.getLeftOperand())
not globalValueNumber(addexpr.getAnOperand()) = globalValueNumber(relop.getAnOperand())
select ifstmt, "Integer addition may overflow inside if statement." select ifstmt, "Integer addition may overflow inside if statement."