Merge pull request #5973 from MathiasVP/more-uncontrolled-arith-improvements

C++: More `cpp/uncontrolled-arithmetic` improvements
2026-04-30 11:15:13 +02:00 · 2021-06-01 10:44:29 +02:00
parent 6d7b95c15d 8765c33847
commit 2261085cfe
2 changed files with 20 additions and 1 deletions
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -19,7 +19,11 @@ import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import TaintedWithPath

 predicate isUnboundedRandCall(FunctionCall fc) {
-  fc.getTarget().getName() = "rand" and not bounded(fc)
+  exists(Function func | func = fc.getTarget() |
+    func.hasGlobalOrStdOrBslName("rand") and
+    not bounded(fc) and
+    func.getNumberOfParameters() = 0
+  )
 }

 /**
@@ -84,6 +88,10 @@ predicate bounded(Expr e) {
  boundedDiv(e, any(DivExpr div).getLeftOperand())
  or
  boundedDiv(e, any(AssignDivExpr div).getLValue())
+  or
+  boundedDiv(e, any(RShiftExpr shift).getLeftOperand())
+  or
+  boundedDiv(e, any(AssignRShiftExpr div).getLValue())
 }

 predicate isUnboundedRandCallOrParent(Expr e) {
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp
@@ -37,3 +37,14 @@ void randomTester2()
 		r = r + 100; // BAD
 	}
 }
+
+int rand(int min, int max);
+unsigned rand(int max);
+
+void test_with_bounded_randomness() {
+  int r = rand(0, 10);
+  r++; // GOOD
+
+	unsigned unsigned_r = rand(10);
+	unsigned_r++; // GOOD
+}