hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Add some CWE-190 tests I had lying around.

Browse Source
This commit is contained in:
Geoffrey White
2020-09-14 14:25:47 +01:00
parent d21c101c0d
commit 22097a9e13
2 changed files with 57 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.expected
View File

@@ -4,6 +4,9 @@
| test5.cpp:10:9:10:15 | call to strtoul | $@ flows to here and is used in an expression which might overflow. | test5.cpp:9:7:9:9 | buf | User-provided value | | test5.cpp:10:9:10:15 | call to strtoul | $@ flows to here and is used in an expression which might overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
| test5.cpp:17:6:17:27 | ... * ... | $@ flows to here and is used in an expression which might overflow. | test5.cpp:9:7:9:9 | buf | User-provided value | | test5.cpp:17:6:17:27 | ... * ... | $@ flows to here and is used in an expression which might overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
| test5.cpp:19:6:19:13 | ... * ... | $@ flows to here and is used in an expression which might overflow. | test5.cpp:9:7:9:9 | buf | User-provided value | | test5.cpp:19:6:19:13 | ... * ... | $@ flows to here and is used in an expression which might overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
| test6.cpp:11:15:11:15 | s | $@ flows to here and is used in an expression which might overflow. | test6.cpp:39:23:39:24 | & ... | User-provided value |
| test6.cpp:16:15:16:15 | s | $@ flows to here and is used in an expression which might overflow. | test6.cpp:39:23:39:24 | & ... | User-provided value |
| test6.cpp:30:16:30:16 | s | $@ flows to here and is used in an expression which might overflow. | test6.cpp:39:23:39:24 | & ... | User-provided value |
| test.c:14:15:14:35 | ... * ... | $@ flows to here and is used in an expression which might overflow. | test.c:11:29:11:32 | argv | User-provided value | | test.c:14:15:14:35 | ... * ... | $@ flows to here and is used in an expression which might overflow. | test.c:11:29:11:32 | argv | User-provided value |
| test.c:44:7:44:12 | ... -- | $@ flows to here and is used in an expression which might overflow negatively. | test.c:41:17:41:20 | argv | User-provided value | | test.c:44:7:44:12 | ... -- | $@ flows to here and is used in an expression which might overflow negatively. | test.c:41:17:41:20 | argv | User-provided value |
| test.c:54:7:54:12 | ... -- | $@ flows to here and is used in an expression which might overflow negatively. | test.c:51:17:51:20 | argv | User-provided value | | test.c:54:7:54:12 | ... -- | $@ flows to here and is used in an expression which might overflow negatively. | test.c:51:17:51:20 | argv | User-provided value |

54
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test6.cpp Normal file
View File

@@ -0,0 +1,54 @@
typedef unsigned short u16;
typedef unsigned int u32;
typedef struct {} FILE;
int fscanf(FILE *stream, const char *format, ...);
FILE *stdin;
void docast1(u32 s)
{
u16 c = (u16)s; // bad
}
void docast2(u32 s)
{
u16 c = (u16)s; // bad
}
class MyBaseClass
{
public:
virtual void docast(u32 s) = 0;
};
class MyDerivedClass : public MyBaseClass
{
public:
void docast(u32 s)
{
u16 c = (u16)s; // bad
}
};
void test6()
{
u32 s;
s = -1;
fscanf(stdin, "%hd", &s);
docast1(s);
{
void (*docast2_ptr)(u32) = &docast2;
docast2_ptr(s);
}
{
MyBaseClass *mbc = new MyDerivedClass;
mbc->docast(s);
delete mbc;
}
}