From 3e18a9b88551a805e6237edeb4adc8d548bfdbe6 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 24 Aug 2018 17:14:42 +0100 Subject: [PATCH 1/2] CPP: Improve the special case for realloc in MemoryMayNotBeFreed.ql. --- cpp/ql/src/Critical/MemoryMayNotBeFreed.ql | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql b/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql index 48aac00359c..bba3dd77976 100644 --- a/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql +++ b/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql @@ -62,8 +62,14 @@ predicate verifiedRealloc(FunctionCall reallocCall, Variable v, ControlFlowNode // a realloc followed by a null check at 'node' (return the non-null // successor, i.e. where the realloc is confirmed to have succeeded) newV.getAnAssignedValue() = reallocCall and - node.(AnalysedExpr).getNonNullSuccessor(newV) = verified + node.(AnalysedExpr).getNonNullSuccessor(newV) = verified and // note: this case uses naive flow logic (getAnAssignedValue). + + // special case: if the result of the 'realloc' is assigned to the + // same variable, we don't descriminate properly between the old + // and the new allocation; better to not consider this a free at + // all in that case. + newV != v ) or ( // a realloc(ptr, 0), which always succeeds and frees // (return the realloc itself) From 8e5c170af62d2cfd3270a9c5cba58c49247140ca Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 24 Aug 2018 17:24:29 +0100 Subject: [PATCH 2/2] CPP: Change note. --- change-notes/1.18/analysis-cpp.md | 1 + 1 file changed, 1 insertion(+) diff --git a/change-notes/1.18/analysis-cpp.md b/change-notes/1.18/analysis-cpp.md index 054e1ca8370..e5a25656afa 100644 --- a/change-notes/1.18/analysis-cpp.md +++ b/change-notes/1.18/analysis-cpp.md @@ -19,6 +19,7 @@ | [Nested loops with same variable] | Fewer false positive results | Results where the loop variable is a member of a class or struct now account for the object. | | [For loop variable changed in body] | Fewer false positive results | Results where the loop variable is a member of a class or struct now account for the object. | | [Local variable hides global variable] | Fewer false positive results | Results for parameters are now only reported if the name of the global variable is the same as the name of the parameter as used in the function definition (not just a function declaration). | +| [Memory may not be freed] | More correct results | This query now models calls to `realloc` more accurately. | | Wrong number of arguments to formatting function | Fewer false positive results | Some false positives related to custom printf-like functions have been fixed. | | Wrong number of arguments to formatting function | Clear separation between results of high and low severity | This query has been split into two queries: a high-severity query named [Too few arguments to formatting function] and a low-severity query named [Too many arguments to formatting function]. | | [Too few arguments to formatting function] | More correct and fewer false positives results | This query now understands positional format arguments as supported by some libraries. |