C++: Add an ArrayFunction model to FormattingFunction.

2025-12-24 04:36:35 +01:00 · 2020-01-24 17:10:25 +00:00
parent 06f5720cd5
commit 1d46971bb7
3 changed files with 26 additions and 3 deletions
--- a/cpp/ql/src/semmle/code/cpp/models/interfaces/FormattingFunction.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/FormattingFunction.qll
@@ -6,7 +6,7 @@
 * `FormattingFunction` to match the flow within that function.
 */

-import semmle.code.cpp.Function
+import semmle.code.cpp.models.interfaces.ArrayFunction

 private Type stripTopLevelSpecifiersOnly(Type t) {
  result = stripTopLevelSpecifiersOnly(t.(SpecifiedType).getBaseType())
@@ -39,7 +39,7 @@ private Type getAFormatterWideTypeOrDefault() {
 /**
 * A standard library function that uses a `printf`-like formatting string.
 */
-abstract class FormattingFunction extends Function {
+abstract class FormattingFunction extends ArrayFunction {
  /** Gets the position at which the format parameter occurs. */
  abstract int getFormatParameterIndex();

@@ -133,4 +133,26 @@ abstract class FormattingFunction extends Function {
   * Gets the position of the buffer size argument, if any.
   */
  int getSizeParameterIndex() { none() }
+
+  override predicate hasArrayWithNullTerminator(int bufParam) {
+  	bufParam = getFormatParameterIndex()
+  } 	
+
+  override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
+  	bufParam = getOutputParameterIndex() and
+  	countParam = getSizeParameterIndex()
+  }
+
+  override predicate hasArrayWithUnknownSize(int bufParam) {
+  	bufParam = getOutputParameterIndex() and
+  	not exists(getSizeParameterIndex())
+  }
+
+  predicate hasArrayInput(int bufParam) {
+  	bufParam = getFormatParameterIndex()
+  }
+
+  predicate hasArrayOutput(int bufParam) {
+  	bufParam = getOutputParameterIndex()
+  }
 }
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-131/semmle/NoSpaceForZeroTerminator/NoSpaceForZeroTerminator.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-131/semmle/NoSpaceForZeroTerminator/NoSpaceForZeroTerminator.expected
@@ -4,6 +4,7 @@
 | test.c:32:20:32:25 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.c:49:20:49:25 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.cpp:24:35:24:40 | call to malloc | This allocation does not include space to null-terminate the string. |
+| test.cpp:45:28:45:33 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.cpp:63:28:63:33 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.cpp:71:28:71:33 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.cpp:79:28:79:33 | call to malloc | This allocation does not include space to null-terminate the string. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-131/semmle/NoSpaceForZeroTerminator/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-131/semmle/NoSpaceForZeroTerminator/test.cpp
@@ -41,7 +41,7 @@ void good1(wchar_t *wstr) {
 }

 void bad3(char *str) {
-    // BAD -- zero-termination proved by sprintf (as destination) [NOT DETECTED]
+    // BAD -- zero-termination proved by sprintf (as destination)
    char *buffer = (char *)malloc(strlen(str));
    sprintf(buffer, "%s", str);
    free(buffer);