diff --git a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql index d9c9df4fd91..343e96a00d3 100644 --- a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql +++ b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql @@ -18,7 +18,8 @@ import IncorrectPointerScalingCommon private predicate isCharSzPtrExpr(Expr e) { exists(PointerType pt | pt = e.getFullyConverted().getUnspecifiedType() | pt.getBaseType() instanceof CharType or - pt.getBaseType() instanceof VoidType + pt.getBaseType() instanceof VoidType or + pt.getBaseType() instanceof ErroneousType // this could be char / void type in a successful compilation ) } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.expected index c1a192afc3a..dbff4230f25 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.expected @@ -1,8 +1,5 @@ | buildless.cpp:5:15:5:25 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | const short * | const short * | | buildless.cpp:6:13:6:23 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | const int * | const int * | -| buildless.cpp:7:11:7:21 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | const * | const * | -| buildless.cpp:8:12:8:22 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | const * | const * | -| buildless.cpp:9:12:9:22 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | const * | const * | | test.cpp:6:30:6:40 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * | | test.cpp:14:30:14:40 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * | | test.cpp:22:25:22:35 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp index cc93ef719b5..bfe4f546803 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp @@ -4,7 +4,7 @@ void test_buildless(const char *p_c, const short *p_short, const int *p_int, con *(p_c + sizeof(int)); // GOOD (`sizeof(char)` is 1) *(p_short + sizeof(int)); // BAD *(p_int + sizeof(int)); // BAD - *(p_8 + sizeof(int)); // GOOD (`sizeof(p_8)` is 1) [FALSE POSITIVE] - *(p_16 + sizeof(int)); // BAD - *(p_32 + sizeof(int)); // BAD + *(p_8 + sizeof(int)); // GOOD (`sizeof(p_8)` is 1, but there's an error in the type) + *(p_16 + sizeof(int)); // BAD [NOT DETECTED] + *(p_32 + sizeof(int)); // BAD [NOT DETECTED] }