hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 13:45:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3277 from geoffw0/rangeshift

Browse Source 
C++: Support for & and >> in SimpleRangeAnalysis
This commit is contained in:
Dave Bartolomeo
2020-04-22 11:36:36 -04:00
committed by GitHub
parent 1ecfa2eb55 2e392516c2
commit 163ecd97de
7 changed files with 264 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected Normal file
View File

@@ -0,0 +1,15 @@
| test.c:4:14:4:18 | ... < ... | Comparison between $@ of type char and $@ of wider type int. | test.c:3:7:3:7 | c | c | test.c:2:17:2:17 | x | x |
| test.c:9:14:9:18 | ... > ... | Comparison between $@ of type char and $@ of wider type int. | test.c:8:7:8:7 | c | c | test.c:7:17:7:17 | x | x |
| test.c:14:14:14:18 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:13:8:13:8 | s | s | test.c:12:17:12:17 | x | x |
| test.c:65:14:65:18 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:64:8:64:8 | s | s | test.c:63:17:63:17 | x | x |
| test.c:87:14:87:18 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:84:15:84:15 | x | x |
| test.c:91:14:91:23 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type int. | test.c:83:16:83:16 | c | c | test.c:91:18:91:23 | 65280 | 65280 |
| test.c:93:14:93:25 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type int. | test.c:83:16:83:16 | c | c | test.c:93:18:93:25 | 16711680 | 16711680 |
| test.c:95:14:95:27 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:95:18:95:27 | 4278190080 | 4278190080 |
| test.c:99:14:99:29 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:99:19:99:28 | ... & ... | ... & ... |
| test.c:101:14:101:31 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:101:19:101:30 | ... & ... | ... & ... |
| test.c:103:14:103:33 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:103:19:103:32 | ... & ... | ... & ... |
| test.c:105:14:105:25 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:105:19:105:24 | ... >> ... | ... >> ... |
| test.c:107:14:107:26 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:107:19:107:25 | ... >> ... | ... >> ... |
| test.c:128:15:128:21 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:121:16:121:17 | uc | uc | test.c:123:19:123:20 | sz | sz |
| test.c:139:15:139:21 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:121:16:121:17 | uc | uc | test.c:123:19:123:20 | sz | sz |

0
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/wider_type/ComparisonWithWiderType.qlref → cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.qlref
View File

147
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test.c Normal file
View File

@@ -0,0 +1,147 @@
void test1 (int x) {
char c;
for (c = 0; c < x; c++) {} //BAD
}
void test2 (int x) {
char c;
for (c = 0; x > c; c++) {} // BAD
}
void test3 (int x) {
short s;
for (s = 0; s < x; s++) {} //BAD
}
void runner() { // get range analysis to give large values to x in tests
test1(65536);
test2(65536);
test3(655360);
test7((unsigned long long)1<<48);
test8(65536);
test9(65536);
test10(65536);
}
void test4 () {
short s1;
short s2 = 200;
for (s1 = 0; s1 < s2; s1++) {}
}
void test5 () {
short s1;
int x = 65536;
s1 < x;
}
void test6() {
short s1;
for (s1 = 0; s1 < 0x0000ffff; s1++) {}
}
void test7(long long l) {
int i;
for (i = 0; i < l; i++) {}
}
void test8(int x) {
short s;
for (s = 256; s < x; x--) {}
}
void test9(int x) {
short s;
for (s = 256; s < x; ) {
x--;
}
}
void test10(int x) {
short s;
for (s = 0; s < x; ) { // BAD
do
{
s++;
} while (0);
}
}
extern const int const256;
void test11() {
short s;
for(s = 0; s < const256; ++s) {}
}
unsigned int get_a_uint();
void test12() {
unsigned char c;
unsigned int x;
x = get_a_uint();
for (c = 0; c < x; c++) {} // BAD
x = get_a_uint();
for (c = 0; c < 0xFF; c++) {} // GOOD
x = get_a_uint();
for (c = 0; c < 0xFF00; c++) {} // BAD
x = get_a_uint();
for (c = 0; c < 0xFF0000; c++) {} // BAD
x = get_a_uint();
for (c = 0; c < 0xFF000000; c++) {} // BAD
x = get_a_uint();
for (c = 0; c < (x & 0xFF); c++) {} // GOOD
x = get_a_uint();
for (c = 0; c < (x & 0xFF00); c++) {} // BAD
x = get_a_uint();
for (c = 0; c < (x & 0xFF0000); c++) {} // BAD
x = get_a_uint();
for (c = 0; c < (x & 0xFF000000); c++) {} // BAD
x = get_a_uint();
for (c = 0; c < (x >> 8); c++) {} // BAD
x = get_a_uint();
for (c = 0; c < (x >> 16); c++) {} // BAD
x = get_a_uint();
for (c = 0; c < (x >> 24); c++) {} // GOOD (assuming 32-bit ints)
x = get_a_uint();
for (c = 0; c < ((x & 0xFF00) >> 8); c++) {} // GOOD
x = get_a_uint();
for (c = 0; c < ((x & 0xFF0000) >> 16); c++) {} // GOOD
x = get_a_uint();
for (c = 0; c < ((x & 0xFF000000) >> 24); c++) {} // GOOD
}
int get_an_int();
void test13() {
unsigned char uc;
int sx, sy;
unsigned ux, uy, sz;
ux = get_a_uint();
uy = get_a_uint();
sz = ux & uy;
for (uc = 0; uc < sz; uc++) {} // BAD
ux = get_a_uint();
uy = get_a_uint();
if (ux > 128) {ux = 128;}
sz = ux & uy;
for (uc = 0; uc < sz; uc++) {} // GOOD
sx = get_an_int();
sy = get_an_int();
sz = (unsigned)sx & (unsigned)sy;
for (uc = 0; uc < sz; uc++) {} // BAD
sx = get_an_int();
sy = get_an_int();
if (sx < 0) {sx = 0;}
if (sx > 128) {sx = 128;}
sz = (unsigned)sx & (unsigned)sy;
for (uc = 0; uc < sz; uc++) {} // GOOD
}

0
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/wider_type/test2.c → cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test2.c
View File

4
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/wider_type/ComparisonWithWiderType.expected
View File

@@ -1,4 +0,0 @@
| test.c:4:14:4:18 | ... < ... | Comparison between $@ of type char and $@ of wider type int. | test.c:3:7:3:7 | c | c | test.c:2:17:2:17 | x | x |
| test.c:9:14:9:18 | ... > ... | Comparison between $@ of type char and $@ of wider type int. | test.c:8:7:8:7 | c | c | test.c:7:17:7:17 | x | x |
| test.c:14:14:14:18 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:13:8:13:8 | s | s | test.c:12:17:12:17 | x | x |
| test.c:65:14:65:18 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:64:8:64:8 | s | s | test.c:63:17:63:17 | x | x |

78
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/wider_type/test.c
View File

@@ -1,78 +0,0 @@
void test1 (int x) {
char c;
for (c = 0; c < x; c++) {} //BAD
}
void test2 (int x) {
char c;
for (c = 0; x > c; c++) {} // BAD
}
void test3 (int x) {
short s;
for (s = 0; s < x; s++) {} //BAD
}
void runner() { // get range analysis to give large values to x in tests
test1(65536);
test2(65536);
test3(655360);
test7((unsigned long long)1<<48);
test8(65536);
test9(65536);
test10(65536);
}
void test4 () {
short s1;
short s2 = 200;
for (s1 = 0; s1 < s2; s1++) {}
}
void test5 () {
short s1;
int x = 65536;
s1 < x;
}
void test6() {
short s1;
for (s1 = 0; s1 < 0x0000ffff; s1++) {}
}
void test7(long long l) {
int i;
for (i = 0; i < l; i++) {}
}
void test8(int x) {
short s;
for (s = 256; s < x; x--) {}
}
void test9(int x) {
short s;
for (s = 256; s < x; ) {
x--;
}
}
void test10(int x) {
short s;
for (s = 0; s < x; ) { // BAD
do
{
s++;
} while (0);
}
}
extern const int const256;
void test11() {
short s;
for(s = 0; s < const256; ++s) {}
}