mirror of
https://github.com/github/codeql.git
synced 2025-12-18 01:33:15 +01:00
C++: Path explanations in DefaultTaintTracking
The first three queries are migrated to use path explanations.
This commit is contained in:
Jonas Jensen
@@ -2,7 +2,7 @@
|
||||
* @name Uncontrolled data used in path expression
|
||||
* @description Accessing paths influenced by users can allow an
|
||||
* attacker to access unexpected resources.
|
||||
* @kind problem
|
||||
* @kind path-problem
|
||||
* @problem.severity warning
|
||||
* @precision medium
|
||||
* @id cpp/path-injection
|
||||
@@ -17,6 +17,7 @@ import cpp
|
||||
import semmle.code.cpp.security.FunctionWithWrappers
|
||||
import semmle.code.cpp.security.Security
|
||||
import semmle.code.cpp.security.TaintTracking
|
||||
import TaintedWithPath
|
||||
|
||||
/**
|
||||
* A function for opening a file.
|
||||
@@ -51,12 +52,19 @@ class FileFunction extends FunctionWithWrappers {
|
||||
override predicate interestingArg(int arg) { arg = 0 }
|
||||
}
|
||||
|
||||
class TaintedPathConfiguration extends TaintTrackingConfiguration {
|
||||
override predicate isSink(Element tainted) {
|
||||
exists(FileFunction fileFunction | fileFunction.outermostWrapperFunctionCall(tainted, _))
|
||||
}
|
||||
}
|
||||
|
||||
from
|
||||
FileFunction fileFunction, Expr taintedArg, Expr taintSource, string taintCause, string callChain
|
||||
FileFunction fileFunction, Expr taintedArg, Expr taintSource, PathNode sourceNode,
|
||||
PathNode sinkNode, string taintCause, string callChain
|
||||
where
|
||||
fileFunction.outermostWrapperFunctionCall(taintedArg, callChain) and
|
||||
tainted(taintSource, taintedArg) and
|
||||
taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and
|
||||
isUserInput(taintSource, taintCause)
|
||||
select taintedArg,
|
||||
select taintedArg, sourceNode, sinkNode,
|
||||
"This argument to a file access function is derived from $@ and then passed to " + callChain,
|
||||
taintSource, "user input (" + taintCause + ")"
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
* @description Using externally-controlled format strings in
|
||||
* printf-style functions can lead to buffer overflows
|
||||
* or data representation problems.
|
||||
* @kind problem
|
||||
* @kind path-problem
|
||||
* @problem.severity warning
|
||||
* @precision medium
|
||||
* @id cpp/tainted-format-string
|
||||
@@ -16,12 +16,20 @@ import cpp
|
||||
import semmle.code.cpp.security.Security
|
||||
import semmle.code.cpp.security.FunctionWithWrappers
|
||||
import semmle.code.cpp.security.TaintTracking
|
||||
import TaintedWithPath
|
||||
|
||||
from PrintfLikeFunction printf, Expr arg, string printfFunction, Expr userValue, string cause
|
||||
class TaintedPathConfiguration extends TaintTrackingConfiguration {
|
||||
override predicate isSink(Element tainted) {
|
||||
exists(PrintfLikeFunction printf | printf.outermostWrapperFunctionCall(tainted, _))
|
||||
}
|
||||
}
|
||||
|
||||
from PrintfLikeFunction printf, Expr arg, PathNode sourceNode,
|
||||
PathNode sinkNode, string printfFunction, Expr userValue, string cause
|
||||
where
|
||||
printf.outermostWrapperFunctionCall(arg, printfFunction) and
|
||||
tainted(userValue, arg) and
|
||||
taintedWithPath(userValue, arg, sourceNode, sinkNode) and
|
||||
isUserInput(userValue, cause)
|
||||
select arg,
|
||||
select arg, sourceNode, sinkNode,
|
||||
"The value of this argument may come from $@ and is being used as a formatting argument to " +
|
||||
printfFunction, userValue, cause
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
* @name Overflow in uncontrolled allocation size
|
||||
* @description Allocating memory with a size controlled by an external
|
||||
* user can result in integer overflow.
|
||||
* @kind problem
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @precision high
|
||||
* @id cpp/uncontrolled-allocation-size
|
||||
@@ -13,21 +13,33 @@
|
||||
|
||||
import cpp
|
||||
import semmle.code.cpp.security.TaintTracking
|
||||
import TaintedWithPath
|
||||
|
||||
predicate taintedAllocSize(Expr e, Expr source, string taintCause) {
|
||||
predicate taintedChild(Expr e, Expr tainted) {
|
||||
(
|
||||
isAllocationExpr(e) or
|
||||
isAllocationExpr(e)
|
||||
or
|
||||
any(MulExpr me | me.getAChild() instanceof SizeofOperator) = e
|
||||
) and
|
||||
tainted = e.getAChild() and
|
||||
tainted.getUnspecifiedType() instanceof IntegralType
|
||||
}
|
||||
|
||||
class TaintedAllocationSizeConfiguration extends TaintTrackingConfiguration {
|
||||
override predicate isSink(Element tainted) { taintedChild(_, tainted) }
|
||||
}
|
||||
|
||||
predicate taintedAllocSize(
|
||||
Expr e, Expr source, PathNode sourceNode, PathNode sinkNode, string taintCause
|
||||
) {
|
||||
isUserInput(source, taintCause) and
|
||||
exists(Expr tainted |
|
||||
tainted = e.getAChild() and
|
||||
tainted.getUnspecifiedType() instanceof IntegralType and
|
||||
isUserInput(source, taintCause) and
|
||||
tainted(source, tainted)
|
||||
taintedChild(e, tainted) and
|
||||
taintedWithPath(source, tainted, sourceNode, sinkNode)
|
||||
)
|
||||
}
|
||||
|
||||
from Expr e, Expr source, string taintCause
|
||||
where taintedAllocSize(e, source, taintCause)
|
||||
select e, "This allocation size is derived from $@ and might overflow", source,
|
||||
"user input (" + taintCause + ")"
|
||||
from Expr e, Expr source, PathNode sourceNode, PathNode sinkNode, string taintCause
|
||||
where taintedAllocSize(e, source, sourceNode, sinkNode, taintCause)
|
||||
select e, sourceNode, sinkNode, "This allocation size is derived from $@ and might overflow",
|
||||
source, "user input (" + taintCause + ")"
|
||||
|
||||
@@ -2,6 +2,7 @@ import cpp
|
||||
import semmle.code.cpp.security.Security
|
||||
private import semmle.code.cpp.ir.dataflow.DataFlow
|
||||
private import semmle.code.cpp.ir.dataflow.DataFlow2
|
||||
private import semmle.code.cpp.ir.dataflow.DataFlow3
|
||||
private import semmle.code.cpp.ir.IR
|
||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowDispatch as Dispatch
|
||||
private import semmle.code.cpp.models.interfaces.Taint
|
||||
@@ -171,6 +172,7 @@ private predicate nodeIsBarrierIn(DataFlow::Node node) {
|
||||
node = getNodeForSource(any(Expr e))
|
||||
}
|
||||
|
||||
cached
|
||||
private predicate instructionTaintStep(Instruction i1, Instruction i2) {
|
||||
// Expressions computed from tainted data are also tainted
|
||||
exists(CallInstruction call, int argIndex | call = i2 |
|
||||
@@ -381,3 +383,135 @@ Function resolveCall(Call call) {
|
||||
result = Dispatch::viableCallable(callInstruction)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Provides definitions for augmenting source/sink pairs with data-flow paths
|
||||
* between them. From a `@kind path-problem` query, import this module in the
|
||||
* global scope, extend `TaintTrackingConfiguration`, and use `taintedWithPath`
|
||||
* in place of `tainted`.
|
||||
*
|
||||
* Importing this module will also import the query predicates that contain the
|
||||
* taint paths.
|
||||
*/
|
||||
module TaintedWithPath {
|
||||
/**
|
||||
* A taint-tracking configuration that matches sources and sinks in the same
|
||||
* way as the `tainted` predicate.
|
||||
*/
|
||||
class TaintTrackingConfiguration extends int {
|
||||
TaintTrackingConfiguration() { this = 1 }
|
||||
|
||||
/** Override this to specify which elements are sinks in this configuration. */
|
||||
abstract predicate isSink(Element e);
|
||||
}
|
||||
|
||||
private class AdjustedConfiguration extends DataFlow3::Configuration {
|
||||
AdjustedConfiguration() { this = "AdjustedConfiguration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
exists(TaintTrackingConfiguration cfg | cfg.isSink(adjustedSink(sink)))
|
||||
}
|
||||
|
||||
override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
|
||||
instructionTaintStep(n1.asInstruction(), n2.asInstruction())
|
||||
}
|
||||
|
||||
override predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
|
||||
|
||||
override predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
|
||||
}
|
||||
|
||||
/*
|
||||
* A sink `Element` may map to multiple `DataFlowX::PathNode`s via (the
|
||||
* inverse of) `adjustedSink`. For example, an `Expr` maps to all its
|
||||
* conversions, and a `Variable` maps to all loads and stores from it. Because
|
||||
* the path node is part of the tuple that constitutes the alert, this leads
|
||||
* to duplicate alerts.
|
||||
*
|
||||
* To avoid showing duplicates, we edit the graph to replace the final node
|
||||
* coming from the data-flow library with a node that matches exactly the
|
||||
* `Element` sink that's requested.
|
||||
*
|
||||
* The same should ideally be done with the source, but we haven't seen a
|
||||
* need for it yet.
|
||||
*/
|
||||
|
||||
private newtype TPathNode =
|
||||
TWrapPathNode(DataFlow3::PathNode n) or
|
||||
TFinalPathNode(Element e) { exists(TaintTrackingConfiguration cfg | cfg.isSink(e)) }
|
||||
|
||||
/** An opaque type used for the nodes of a data-flow path. */
|
||||
class PathNode extends TPathNode {
|
||||
/** Gets a textual representation of this element. */
|
||||
string toString() { none() }
|
||||
|
||||
/**
|
||||
* Holds if this element is at the specified location.
|
||||
* The location spans column `startcolumn` of line `startline` to
|
||||
* column `endcolumn` of line `endline` in file `filepath`.
|
||||
* For more information, see
|
||||
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
|
||||
*/
|
||||
predicate hasLocationInfo(
|
||||
string filepath, int startline, int startcolumn, int endline, int endcolumn
|
||||
) {
|
||||
none()
|
||||
}
|
||||
}
|
||||
|
||||
private class WrapPathNode extends PathNode, TPathNode {
|
||||
DataFlow3::PathNode inner() { this = TWrapPathNode(result) }
|
||||
|
||||
override string toString() { result = this.inner().toString() }
|
||||
|
||||
override predicate hasLocationInfo(
|
||||
string filepath, int startline, int startcolumn, int endline, int endcolumn
|
||||
) {
|
||||
this.inner().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
|
||||
}
|
||||
}
|
||||
|
||||
private class FinalPathNode extends PathNode, TFinalPathNode {
|
||||
Element inner() { this = TFinalPathNode(result) }
|
||||
|
||||
override string toString() { result = this.inner().toString() }
|
||||
|
||||
override predicate hasLocationInfo(
|
||||
string filepath, int startline, int startcolumn, int endline, int endcolumn
|
||||
) {
|
||||
this
|
||||
.inner()
|
||||
.getLocation()
|
||||
.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
|
||||
}
|
||||
}
|
||||
|
||||
/** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
|
||||
query predicate edges(PathNode a, PathNode b) {
|
||||
DataFlow3::PathGraph::edges(a.(WrapPathNode).inner(), b.(WrapPathNode).inner())
|
||||
or
|
||||
// To avoid showing trivial-looking steps, we replace the last node instead
|
||||
// of adding an edge out of it.
|
||||
exists(WrapPathNode replaced |
|
||||
DataFlow3::PathGraph::edges(a.(WrapPathNode).inner(), replaced.inner()) and
|
||||
b.(FinalPathNode).inner() = adjustedSink(replaced.inner().getNode())
|
||||
)
|
||||
}
|
||||
|
||||
/** Holds if `n` is a node in the graph of data flow path explanations. */
|
||||
query predicate nodes(PathNode n, string key, string val) {
|
||||
key = "semmle.label" and val = n.toString()
|
||||
}
|
||||
|
||||
predicate taintedWithPath(Expr source, Element tainted, PathNode sourceNode, PathNode sinkNode) {
|
||||
exists(AdjustedConfiguration cfg, DataFlow3::PathNode sinkInner, DataFlow::Node sink |
|
||||
sourceNode.(WrapPathNode).inner().getNode() = getNodeForSource(source) and
|
||||
sinkInner.getNode() = sink and
|
||||
cfg.hasFlowPath(sourceNode.(WrapPathNode).inner(), sinkInner) and
|
||||
tainted = adjustedSink(sinkInner.getNode()) and
|
||||
tainted = sinkNode.(FinalPathNode).inner()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -323,6 +323,7 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
|
||||
simpleInstructionLocalFlowStep(nodeFrom.asInstruction(), nodeTo.asInstruction())
|
||||
}
|
||||
|
||||
cached
|
||||
private predicate simpleInstructionLocalFlowStep(Instruction iFrom, Instruction iTo) {
|
||||
iTo.(CopyInstruction).getSourceValue() = iFrom
|
||||
or
|
||||
|
||||
@@ -1 +1,11 @@
|
||||
| test.c:17:11:17:18 | fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename) | test.c:9:23:9:26 | argv | user input (argv) |
|
||||
edges
|
||||
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | (const char *)... |
|
||||
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName |
|
||||
nodes
|
||||
| test.c:9:23:9:26 | argv | semmle.label | argv |
|
||||
| test.c:17:11:17:18 | (const char *)... | semmle.label | (const char *)... |
|
||||
| test.c:17:11:17:18 | (const char *)... | semmle.label | (const char *)... |
|
||||
| test.c:17:11:17:18 | fileName | semmle.label | fileName |
|
||||
| test.c:27:11:27:18 | fileName | semmle.label | fileName |
|
||||
#select
|
||||
| test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename) | test.c:9:23:9:26 | argv | user input (argv) |
|
||||
|
||||
@@ -1,28 +1,242 @@
|
||||
| argvLocal.c:95:9:95:15 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:95:9:95:12 | argv | argv |
|
||||
| argvLocal.c:96:15:96:21 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:96:15:96:18 | argv | argv |
|
||||
| argvLocal.c:101:9:101:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
|
||||
| argvLocal.c:102:15:102:16 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
|
||||
| argvLocal.c:106:9:106:13 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
|
||||
| argvLocal.c:107:15:107:19 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
|
||||
| argvLocal.c:110:9:110:11 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
|
||||
| argvLocal.c:111:15:111:17 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
|
||||
| argvLocal.c:116:9:116:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
|
||||
| argvLocal.c:117:15:117:16 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
|
||||
| argvLocal.c:121:9:121:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
|
||||
| argvLocal.c:122:15:122:16 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
|
||||
| argvLocal.c:127:9:127:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
|
||||
| argvLocal.c:128:15:128:16 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
|
||||
| argvLocal.c:131:9:131:14 | ... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
|
||||
| argvLocal.c:132:15:132:20 | ... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
|
||||
| argvLocal.c:135:9:135:12 | ... ++ | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
|
||||
| argvLocal.c:136:15:136:18 | -- ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
|
||||
| argvLocal.c:144:9:144:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
|
||||
| argvLocal.c:145:15:145:16 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
|
||||
| argvLocal.c:150:9:150:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:149:11:149:14 | argv | argv |
|
||||
| argvLocal.c:151:15:151:16 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:149:11:149:14 | argv | argv |
|
||||
| argvLocal.c:157:9:157:10 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:156:23:156:26 | argv | argv |
|
||||
| argvLocal.c:158:15:158:16 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:156:23:156:26 | argv | argv |
|
||||
| argvLocal.c:164:9:164:11 | i91 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:163:22:163:25 | argv | argv |
|
||||
| argvLocal.c:165:15:165:17 | i91 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:163:22:163:25 | argv | argv |
|
||||
| argvLocal.c:169:18:169:20 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:168:18:168:21 | argv | argv |
|
||||
| argvLocal.c:170:24:170:26 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:168:18:168:21 | argv | argv |
|
||||
edges
|
||||
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | (const char *)... |
|
||||
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
|
||||
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
|
||||
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
||||
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... |
|
||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | (const char *)... |
|
||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
|
||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | (const char *)... |
|
||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
|
||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
|
||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion |
|
||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 |
|
||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... |
|
||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
|
||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
|
||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
|
||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... |
|
||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
|
||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... |
|
||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
|
||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion |
|
||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 |
|
||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | (const char *)... |
|
||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
|
||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
|
||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
||||
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
|
||||
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 |
|
||||
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
|
||||
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
|
||||
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... |
|
||||
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 |
|
||||
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
|
||||
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
|
||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
|
||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... |
|
||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
|
||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
|
||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... |
|
||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
|
||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
|
||||
nodes
|
||||
| argvLocal.c:15:9:15:17 | Correct | semmle.label | Correct |
|
||||
| argvLocal.c:16:15:16:23 | Correct | semmle.label | Correct |
|
||||
| argvLocal.c:20:9:20:10 | c1 | semmle.label | c1 |
|
||||
| argvLocal.c:21:15:21:16 | c1 | semmle.label | c1 |
|
||||
| argvLocal.c:25:9:25:10 | c2 | semmle.label | c2 |
|
||||
| argvLocal.c:26:15:26:16 | c2 | semmle.label | c2 |
|
||||
| argvLocal.c:30:9:30:11 | * ... | semmle.label | * ... |
|
||||
| argvLocal.c:31:15:31:17 | * ... | semmle.label | * ... |
|
||||
| argvLocal.c:36:9:36:10 | c4 | semmle.label | c4 |
|
||||
| argvLocal.c:37:15:37:16 | c4 | semmle.label | c4 |
|
||||
| argvLocal.c:41:9:41:10 | c5 | semmle.label | c5 |
|
||||
| argvLocal.c:42:15:42:16 | c5 | semmle.label | c5 |
|
||||
| argvLocal.c:47:9:47:10 | c6 | semmle.label | c6 |
|
||||
| argvLocal.c:48:15:48:16 | c6 | semmle.label | c6 |
|
||||
| argvLocal.c:51:9:51:21 | ... + ... | semmle.label | ... + ... |
|
||||
| argvLocal.c:52:15:52:27 | ... + ... | semmle.label | ... + ... |
|
||||
| argvLocal.c:55:9:55:12 | ... ++ | semmle.label | ... ++ |
|
||||
| argvLocal.c:56:15:56:18 | -- ... | semmle.label | -- ... |
|
||||
| argvLocal.c:59:9:59:20 | ... ? ... : ... | semmle.label | ... ? ... : ... |
|
||||
| argvLocal.c:60:15:60:26 | ... ? ... : ... | semmle.label | ... ? ... : ... |
|
||||
| argvLocal.c:63:9:63:26 | ... ? ... : ... | semmle.label | ... ? ... : ... |
|
||||
| argvLocal.c:64:15:64:32 | ... ? ... : ... | semmle.label | ... ? ... : ... |
|
||||
| argvLocal.c:68:9:68:10 | c7 | semmle.label | c7 |
|
||||
| argvLocal.c:69:15:69:16 | c7 | semmle.label | c7 |
|
||||
| argvLocal.c:74:9:74:10 | c8 | semmle.label | c8 |
|
||||
| argvLocal.c:75:15:75:16 | c8 | semmle.label | c8 |
|
||||
| argvLocal.c:80:9:80:10 | c9 | semmle.label | c9 |
|
||||
| argvLocal.c:81:15:81:16 | c9 | semmle.label | c9 |
|
||||
| argvLocal.c:86:9:86:11 | c91 | semmle.label | c91 |
|
||||
| argvLocal.c:87:15:87:17 | c91 | semmle.label | c91 |
|
||||
| argvLocal.c:91:18:91:20 | c10 | semmle.label | c10 |
|
||||
| argvLocal.c:92:24:92:26 | c10 | semmle.label | c10 |
|
||||
| argvLocal.c:95:9:95:12 | argv | semmle.label | argv |
|
||||
| argvLocal.c:95:9:95:15 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:95:9:95:15 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
|
||||
| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
|
||||
| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
|
||||
| argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
|
||||
| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
|
||||
| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
|
||||
| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
|
||||
| argvLocal.c:100:7:100:10 | argv | semmle.label | argv |
|
||||
| argvLocal.c:101:9:101:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:101:9:101:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
|
||||
| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
|
||||
| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
|
||||
| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
|
||||
| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
|
||||
| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
|
||||
| argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
|
||||
| argvLocal.c:106:9:106:13 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:106:9:106:13 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
|
||||
| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
|
||||
| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
|
||||
| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
|
||||
| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
|
||||
| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
|
||||
| argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
|
||||
| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
|
||||
| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
|
||||
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
|
||||
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
|
||||
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
|
||||
| argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
|
||||
| argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:116:9:116:10 | i3 | semmle.label | i3 |
|
||||
| argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||
| argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||
| argvLocal.c:117:15:117:16 | i3 | semmle.label | i3 |
|
||||
| argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 |
|
||||
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
|
||||
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
|
||||
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
|
||||
| argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
|
||||
| argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:127:9:127:10 | i5 | semmle.label | i5 |
|
||||
| argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||
| argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||
| argvLocal.c:128:15:128:16 | i5 | semmle.label | i5 |
|
||||
| argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:131:9:131:14 | ... + ... | semmle.label | ... + ... |
|
||||
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
|
||||
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
|
||||
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
|
||||
| argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
|
||||
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
|
||||
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
|
||||
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
|
||||
| argvLocal.c:139:9:139:26 | ... ? ... : ... | semmle.label | ... ? ... : ... |
|
||||
| argvLocal.c:140:15:140:32 | ... ? ... : ... | semmle.label | ... ? ... : ... |
|
||||
| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
|
||||
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
|
||||
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
|
||||
| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
|
||||
| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
|
||||
| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
|
||||
| argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
|
||||
| argvLocal.c:150:9:150:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:150:9:150:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
|
||||
| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
|
||||
| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
|
||||
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
|
||||
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
|
||||
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
|
||||
| argvLocal.c:156:23:156:26 | argv | semmle.label | argv |
|
||||
| argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:157:9:157:10 | i9 | semmle.label | i9 |
|
||||
| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
|
||||
| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
|
||||
| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
|
||||
| argvLocal.c:163:22:163:25 | argv | semmle.label | argv |
|
||||
| argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:164:9:164:11 | i91 | semmle.label | i91 |
|
||||
| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
|
||||
| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
|
||||
| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
|
||||
| argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
|
||||
| argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... |
|
||||
| argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... |
|
||||
| argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... |
|
||||
| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
|
||||
| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
|
||||
| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
|
||||
| argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... |
|
||||
| argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... |
|
||||
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
|
||||
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
|
||||
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
|
||||
#select
|
||||
| argvLocal.c:95:9:95:15 | access to array | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:95:9:95:12 | argv | argv |
|
||||
| argvLocal.c:96:15:96:21 | access to array | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:96:15:96:18 | argv | argv |
|
||||
| argvLocal.c:101:9:101:10 | i1 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
|
||||
| argvLocal.c:102:15:102:16 | i1 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
|
||||
| argvLocal.c:106:9:106:13 | access to array | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
|
||||
| argvLocal.c:107:15:107:19 | access to array | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
|
||||
| argvLocal.c:110:9:110:11 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
|
||||
| argvLocal.c:111:15:111:17 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
|
||||
| argvLocal.c:116:9:116:10 | i3 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
|
||||
| argvLocal.c:117:15:117:16 | i3 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
|
||||
| argvLocal.c:121:9:121:10 | i4 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
|
||||
| argvLocal.c:122:15:122:16 | i4 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
|
||||
| argvLocal.c:127:9:127:10 | i5 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
|
||||
| argvLocal.c:128:15:128:16 | i5 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
|
||||
| argvLocal.c:131:9:131:14 | ... + ... | argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
|
||||
| argvLocal.c:132:15:132:20 | ... + ... | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
|
||||
| argvLocal.c:135:9:135:12 | ... ++ | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
|
||||
| argvLocal.c:136:15:136:18 | -- ... | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
|
||||
| argvLocal.c:144:9:144:10 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
|
||||
| argvLocal.c:145:15:145:16 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
|
||||
| argvLocal.c:150:9:150:10 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:149:11:149:14 | argv | argv |
|
||||
| argvLocal.c:151:15:151:16 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:149:11:149:14 | argv | argv |
|
||||
| argvLocal.c:157:9:157:10 | i9 | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:156:23:156:26 | argv | argv |
|
||||
| argvLocal.c:158:15:158:16 | i9 | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:156:23:156:26 | argv | argv |
|
||||
| argvLocal.c:164:9:164:11 | i91 | argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:163:22:163:25 | argv | argv |
|
||||
| argvLocal.c:165:15:165:17 | i91 | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:163:22:163:25 | argv | argv |
|
||||
| argvLocal.c:169:18:169:20 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:168:18:168:21 | argv | argv |
|
||||
| argvLocal.c:170:24:170:26 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:168:18:168:21 | argv | argv |
|
||||
|
||||
@@ -1,7 +1,56 @@
|
||||
| funcsLocal.c:17:9:17:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | i1 | fread |
|
||||
| funcsLocal.c:27:9:27:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:26:8:26:9 | i3 | fgets |
|
||||
| funcsLocal.c:32:9:32:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:13:31:17 | call to fgets | fgets |
|
||||
| funcsLocal.c:32:9:32:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:19:31:21 | i41 | fgets |
|
||||
| funcsLocal.c:37:9:37:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:36:7:36:8 | i5 | gets |
|
||||
| funcsLocal.c:42:9:42:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:13:41:16 | call to gets | gets |
|
||||
| funcsLocal.c:42:9:42:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:18:41:20 | i61 | gets |
|
||||
edges
|
||||
| funcsLocal.c:16:8:16:9 | BufferMayWriteSideEffect | funcsLocal.c:17:9:17:10 | (const char *)... |
|
||||
| funcsLocal.c:16:8:16:9 | BufferMayWriteSideEffect | funcsLocal.c:17:9:17:10 | i1 |
|
||||
| funcsLocal.c:26:8:26:9 | BufferMustWriteSideEffect | funcsLocal.c:27:9:27:10 | (const char *)... |
|
||||
| funcsLocal.c:26:8:26:9 | BufferMustWriteSideEffect | funcsLocal.c:27:9:27:10 | i3 |
|
||||
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | (const char *)... |
|
||||
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
||||
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
||||
| funcsLocal.c:31:19:31:21 | BufferMustWriteSideEffect | funcsLocal.c:32:9:32:10 | (const char *)... |
|
||||
| funcsLocal.c:31:19:31:21 | BufferMustWriteSideEffect | funcsLocal.c:32:9:32:10 | i4 |
|
||||
| funcsLocal.c:36:7:36:8 | BufferMustWriteSideEffect | funcsLocal.c:37:9:37:10 | (const char *)... |
|
||||
| funcsLocal.c:36:7:36:8 | BufferMustWriteSideEffect | funcsLocal.c:37:9:37:10 | i5 |
|
||||
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | (const char *)... |
|
||||
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
||||
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
||||
| funcsLocal.c:41:18:41:20 | BufferMustWriteSideEffect | funcsLocal.c:42:9:42:10 | (const char *)... |
|
||||
| funcsLocal.c:41:18:41:20 | BufferMustWriteSideEffect | funcsLocal.c:42:9:42:10 | i6 |
|
||||
nodes
|
||||
| funcsLocal.c:16:8:16:9 | BufferMayWriteSideEffect | semmle.label | BufferMayWriteSideEffect |
|
||||
| funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| funcsLocal.c:17:9:17:10 | i1 | semmle.label | i1 |
|
||||
| funcsLocal.c:22:9:22:12 | %s | semmle.label | %s |
|
||||
| funcsLocal.c:26:8:26:9 | BufferMustWriteSideEffect | semmle.label | BufferMustWriteSideEffect |
|
||||
| funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| funcsLocal.c:27:9:27:10 | i3 | semmle.label | i3 |
|
||||
| funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets |
|
||||
| funcsLocal.c:31:19:31:21 | BufferMustWriteSideEffect | semmle.label | BufferMustWriteSideEffect |
|
||||
| funcsLocal.c:32:9:32:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| funcsLocal.c:32:9:32:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
|
||||
| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
|
||||
| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
|
||||
| funcsLocal.c:36:7:36:8 | BufferMustWriteSideEffect | semmle.label | BufferMustWriteSideEffect |
|
||||
| funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| funcsLocal.c:37:9:37:10 | i5 | semmle.label | i5 |
|
||||
| funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets |
|
||||
| funcsLocal.c:41:18:41:20 | BufferMustWriteSideEffect | semmle.label | BufferMustWriteSideEffect |
|
||||
| funcsLocal.c:42:9:42:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| funcsLocal.c:42:9:42:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
|
||||
| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
|
||||
| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
|
||||
| funcsLocal.c:47:9:47:11 | * ... | semmle.label | * ... |
|
||||
| funcsLocal.c:53:9:53:11 | * ... | semmle.label | * ... |
|
||||
| funcsLocal.c:58:9:58:10 | e1 | semmle.label | e1 |
|
||||
#select
|
||||
| funcsLocal.c:17:9:17:10 | i1 | funcsLocal.c:16:8:16:9 | BufferMayWriteSideEffect | funcsLocal.c:17:9:17:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | i1 | fread |
|
||||
| funcsLocal.c:27:9:27:10 | i3 | funcsLocal.c:26:8:26:9 | BufferMustWriteSideEffect | funcsLocal.c:27:9:27:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:26:8:26:9 | i3 | fgets |
|
||||
| funcsLocal.c:32:9:32:10 | i4 | funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:13:31:17 | call to fgets | fgets |
|
||||
| funcsLocal.c:32:9:32:10 | i4 | funcsLocal.c:31:19:31:21 | BufferMustWriteSideEffect | funcsLocal.c:32:9:32:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:19:31:21 | i41 | fgets |
|
||||
| funcsLocal.c:37:9:37:10 | i5 | funcsLocal.c:36:7:36:8 | BufferMustWriteSideEffect | funcsLocal.c:37:9:37:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:36:7:36:8 | i5 | gets |
|
||||
| funcsLocal.c:42:9:42:10 | i6 | funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:13:41:16 | call to gets | gets |
|
||||
| funcsLocal.c:42:9:42:10 | i6 | funcsLocal.c:41:18:41:20 | BufferMustWriteSideEffect | funcsLocal.c:42:9:42:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:18:41:20 | i61 | gets |
|
||||
|
||||
@@ -0,0 +1,10 @@
|
||||
edges
|
||||
nodes
|
||||
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
|
||||
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
|
||||
| globalVars.c:33:9:33:12 | %s | semmle.label | %s |
|
||||
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
|
||||
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
|
||||
| globalVars.c:44:9:44:12 | %s | semmle.label | %s |
|
||||
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
|
||||
#select
|
||||
|
||||
@@ -1,11 +1,119 @@
|
||||
| ifs.c:62:9:62:10 | c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:61:8:61:11 | argv | argv |
|
||||
| ifs.c:69:9:69:10 | c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:68:8:68:11 | argv | argv |
|
||||
| ifs.c:75:9:75:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:74:8:74:11 | argv | argv |
|
||||
| ifs.c:81:9:81:10 | i2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:80:8:80:11 | argv | argv |
|
||||
| ifs.c:87:9:87:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:86:8:86:11 | argv | argv |
|
||||
| ifs.c:93:9:93:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:92:8:92:11 | argv | argv |
|
||||
| ifs.c:99:9:99:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:98:8:98:11 | argv | argv |
|
||||
| ifs.c:106:9:106:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:105:8:105:11 | argv | argv |
|
||||
| ifs.c:112:9:112:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:111:8:111:11 | argv | argv |
|
||||
| ifs.c:118:9:118:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:117:8:117:11 | argv | argv |
|
||||
| ifs.c:124:9:124:10 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:123:8:123:11 | argv | argv |
|
||||
edges
|
||||
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | (const char *)... |
|
||||
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
|
||||
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
|
||||
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... |
|
||||
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
||||
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
||||
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... |
|
||||
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
||||
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
||||
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... |
|
||||
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
||||
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
||||
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... |
|
||||
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
||||
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
||||
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... |
|
||||
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
||||
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
||||
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... |
|
||||
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
||||
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
||||
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... |
|
||||
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
||||
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
||||
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... |
|
||||
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
||||
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
||||
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... |
|
||||
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
||||
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
||||
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... |
|
||||
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
||||
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
||||
nodes
|
||||
| ifs.c:26:9:26:10 | c1 | semmle.label | c1 |
|
||||
| ifs.c:32:9:32:10 | c2 | semmle.label | c2 |
|
||||
| ifs.c:38:9:38:10 | c3 | semmle.label | c3 |
|
||||
| ifs.c:44:9:44:10 | c4 | semmle.label | c4 |
|
||||
| ifs.c:50:9:50:10 | c5 | semmle.label | c5 |
|
||||
| ifs.c:56:9:56:10 | c6 | semmle.label | c6 |
|
||||
| ifs.c:61:8:61:11 | argv | semmle.label | argv |
|
||||
| ifs.c:62:9:62:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:62:9:62:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
|
||||
| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
|
||||
| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
|
||||
| ifs.c:68:8:68:11 | argv | semmle.label | argv |
|
||||
| ifs.c:69:9:69:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:69:9:69:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
|
||||
| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
|
||||
| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
|
||||
| ifs.c:74:8:74:11 | argv | semmle.label | argv |
|
||||
| ifs.c:75:9:75:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:75:9:75:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
|
||||
| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
|
||||
| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
|
||||
| ifs.c:80:8:80:11 | argv | semmle.label | argv |
|
||||
| ifs.c:81:9:81:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:81:9:81:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
|
||||
| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
|
||||
| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
|
||||
| ifs.c:86:8:86:11 | argv | semmle.label | argv |
|
||||
| ifs.c:87:9:87:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:87:9:87:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
|
||||
| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
|
||||
| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
|
||||
| ifs.c:92:8:92:11 | argv | semmle.label | argv |
|
||||
| ifs.c:93:9:93:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:93:9:93:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
|
||||
| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
|
||||
| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
|
||||
| ifs.c:98:8:98:11 | argv | semmle.label | argv |
|
||||
| ifs.c:99:9:99:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:99:9:99:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
|
||||
| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
|
||||
| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
|
||||
| ifs.c:105:8:105:11 | argv | semmle.label | argv |
|
||||
| ifs.c:106:9:106:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:106:9:106:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
|
||||
| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
|
||||
| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
|
||||
| ifs.c:111:8:111:11 | argv | semmle.label | argv |
|
||||
| ifs.c:112:9:112:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:112:9:112:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
|
||||
| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
|
||||
| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
|
||||
| ifs.c:117:8:117:11 | argv | semmle.label | argv |
|
||||
| ifs.c:118:9:118:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:118:9:118:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
|
||||
| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
|
||||
| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
|
||||
| ifs.c:123:8:123:11 | argv | semmle.label | argv |
|
||||
| ifs.c:124:9:124:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:124:9:124:10 | (const char *)... | semmle.label | (const char *)... |
|
||||
| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
|
||||
| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
|
||||
| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
|
||||
#select
|
||||
| ifs.c:62:9:62:10 | c7 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:61:8:61:11 | argv | argv |
|
||||
| ifs.c:69:9:69:10 | c8 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:68:8:68:11 | argv | argv |
|
||||
| ifs.c:75:9:75:10 | i1 | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:74:8:74:11 | argv | argv |
|
||||
| ifs.c:81:9:81:10 | i2 | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:80:8:80:11 | argv | argv |
|
||||
| ifs.c:87:9:87:10 | i3 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:86:8:86:11 | argv | argv |
|
||||
| ifs.c:93:9:93:10 | i4 | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:92:8:92:11 | argv | argv |
|
||||
| ifs.c:99:9:99:10 | i5 | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:98:8:98:11 | argv | argv |
|
||||
| ifs.c:106:9:106:10 | i6 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:105:8:105:11 | argv | argv |
|
||||
| ifs.c:112:9:112:10 | i7 | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:111:8:111:11 | argv | argv |
|
||||
| ifs.c:118:9:118:10 | i8 | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:117:8:117:11 | argv | argv |
|
||||
| ifs.c:124:9:124:10 | i9 | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:123:8:123:11 | argv | argv |
|
||||
|
||||
@@ -1,9 +1,84 @@
|
||||
| test.cpp:42:31:42:36 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||
| test.cpp:43:31:43:36 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||
| test.cpp:43:38:43:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||
| test.cpp:45:31:45:36 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||
| test.cpp:48:25:48:30 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||
| test.cpp:49:17:49:30 | new[] | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||
| test.cpp:52:21:52:27 | call to realloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||
| test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||
| test.cpp:127:17:127:22 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:123:25:123:30 | call to getenv | user input (getenv) |
|
||||
edges
|
||||
| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | (size_t)... |
|
||||
| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
|
||||
| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
|
||||
| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | (unsigned long)... |
|
||||
| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | tainted |
|
||||
| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | tainted |
|
||||
| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
|
||||
| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
|
||||
| test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... |
|
||||
| test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... |
|
||||
| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | (size_t)... |
|
||||
| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
|
||||
| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
|
||||
| test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
|
||||
| test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
|
||||
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
|
||||
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
|
||||
| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | (unsigned long)... |
|
||||
| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | tainted |
|
||||
| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | tainted |
|
||||
| test.cpp:123:25:123:38 | (const char *)... | test.cpp:127:24:127:27 | (size_t)... |
|
||||
| test.cpp:123:25:123:38 | (const char *)... | test.cpp:127:24:127:27 | size |
|
||||
| test.cpp:123:25:123:38 | (const char *)... | test.cpp:127:24:127:27 | size |
|
||||
nodes
|
||||
| test.cpp:39:21:39:24 | argv | semmle.label | argv |
|
||||
| test.cpp:41:38:41:53 | sizeof(MyStruct) | semmle.label | sizeof(MyStruct) |
|
||||
| test.cpp:42:38:42:44 | (size_t)... | semmle.label | (size_t)... |
|
||||
| test.cpp:42:38:42:44 | (size_t)... | semmle.label | (size_t)... |
|
||||
| test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
|
||||
| test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
|
||||
| test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
|
||||
| test.cpp:43:38:43:44 | (unsigned long)... | semmle.label | (unsigned long)... |
|
||||
| test.cpp:43:38:43:44 | (unsigned long)... | semmle.label | (unsigned long)... |
|
||||
| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
|
||||
| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
|
||||
| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
|
||||
| test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:43:48:43:63 | sizeof(MyStruct) | semmle.label | sizeof(MyStruct) |
|
||||
| test.cpp:44:38:44:47 | call to getTainted | semmle.label | call to getTainted |
|
||||
| test.cpp:44:38:44:68 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:44:53:44:68 | sizeof(MyStruct) | semmle.label | sizeof(MyStruct) |
|
||||
| test.cpp:45:38:45:63 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:45:38:45:63 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:45:38:45:63 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:48:32:48:35 | (size_t)... | semmle.label | (size_t)... |
|
||||
| test.cpp:48:32:48:35 | (size_t)... | semmle.label | (size_t)... |
|
||||
| test.cpp:48:32:48:35 | size | semmle.label | size |
|
||||
| test.cpp:48:32:48:35 | size | semmle.label | size |
|
||||
| test.cpp:48:32:48:35 | size | semmle.label | size |
|
||||
| test.cpp:49:26:49:29 | size | semmle.label | size |
|
||||
| test.cpp:49:26:49:29 | size | semmle.label | size |
|
||||
| test.cpp:49:26:49:29 | size | semmle.label | size |
|
||||
| test.cpp:52:35:52:50 | sizeof(MyStruct) | semmle.label | sizeof(MyStruct) |
|
||||
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:52:54:52:60 | (unsigned long)... | semmle.label | (unsigned long)... |
|
||||
| test.cpp:52:54:52:60 | (unsigned long)... | semmle.label | (unsigned long)... |
|
||||
| test.cpp:52:54:52:60 | tainted | semmle.label | tainted |
|
||||
| test.cpp:52:54:52:60 | tainted | semmle.label | tainted |
|
||||
| test.cpp:52:54:52:60 | tainted | semmle.label | tainted |
|
||||
| test.cpp:55:20:55:23 | size | semmle.label | size |
|
||||
| test.cpp:68:18:68:21 | size | semmle.label | size |
|
||||
| test.cpp:79:18:79:28 | ... - ... | semmle.label | ... - ... |
|
||||
| test.cpp:123:25:123:38 | (const char *)... | semmle.label | (const char *)... |
|
||||
| test.cpp:126:24:126:35 | bounded_size | semmle.label | bounded_size |
|
||||
| test.cpp:127:24:127:27 | (size_t)... | semmle.label | (size_t)... |
|
||||
| test.cpp:127:24:127:27 | (size_t)... | semmle.label | (size_t)... |
|
||||
| test.cpp:127:24:127:27 | size | semmle.label | size |
|
||||
| test.cpp:127:24:127:27 | size | semmle.label | size |
|
||||
| test.cpp:127:24:127:27 | size | semmle.label | size |
|
||||
#select
|
||||
| test.cpp:42:31:42:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||
| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||
| test.cpp:43:38:43:63 | ... * ... | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||
| test.cpp:45:31:45:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||
| test.cpp:48:25:48:30 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||
| test.cpp:49:17:49:30 | new[] | test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||
| test.cpp:52:21:52:27 | call to realloc | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||
| test.cpp:52:35:52:60 | ... * ... | test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||
| test.cpp:127:17:127:22 | call to malloc | test.cpp:123:25:123:38 | (const char *)... | test.cpp:127:24:127:27 | size | This allocation size is derived from $@ and might overflow | test.cpp:123:25:123:30 | call to getenv | user input (getenv) |
|
||||
|
||||
Reference in New Issue
Block a user