hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #114 from geoffw0/samate-realloc

Browse Source 
CPP: Handle 'realloc' better in MemoryMayNotBeFreed.ql
This commit is contained in:
Jonas Jensen
2018-09-05 08:35:13 +02:00
committed by GitHub
parent 8225daf94d 8e5c170af6
commit 1bcae97447
2 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
change-notes/1.18/analysis-cpp.md
View File

@@ -19,6 +19,7 @@
| [Nested loops with same variable] | Fewer false positive results | Results where the loop variable is a member of a class or struct now account for the object. |
| [For loop variable changed in body] | Fewer false positive results | Results where the loop variable is a member of a class or struct now account for the object. |
| [Local variable hides global variable] | Fewer false positive results | Results for parameters are now only reported if the name of the global variable is the same as the name of the parameter as used in the function definition (not just a function declaration). |
| [Memory may not be freed] | More correct results | This query now models calls to `realloc` more accurately. |
| Wrong number of arguments to formatting function | Fewer false positive results | Some false positives related to custom printf-like functions have been fixed. |
| Wrong number of arguments to formatting function | Clear separation between results of high and low severity | This query has been split into two queries: a high-severity query named [Too few arguments to formatting function] and a low-severity query named [Too many arguments to formatting function]. |
| [Too few arguments to formatting function] | More correct and fewer false positives results | This query now understands positional format arguments as supported by some libraries. |

8
cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
View File

@@ -62,8 +62,14 @@ predicate verifiedRealloc(FunctionCall reallocCall, Variable v, ControlFlowNode
// a realloc followed by a null check at 'node' (return the non-null
// successor, i.e. where the realloc is confirmed to have succeeded)
newV.getAnAssignedValue() = reallocCall and
node.(AnalysedExpr).getNonNullSuccessor(newV) = verified
node.(AnalysedExpr).getNonNullSuccessor(newV) = verified and
// note: this case uses naive flow logic (getAnAssignedValue).
// special case: if the result of the 'realloc' is assigned to the
// same variable, we don't descriminate properly between the old
// and the new allocation; better to not consider this a free at
// all in that case.
newV != v
) or (
// a realloc(ptr, 0), which always succeeds and frees
// (return the realloc itself)