hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 03:36:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Add new test cases.

Browse Source
This commit is contained in:
Geoffrey White
2020-03-12 10:49:20 +00:00
parent 263e51f72e
commit 26ed560bd7
2 changed files with 70 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
View File

@@ -8,3 +8,9 @@
| test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
| test.cpp:127:17:127:22 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:123:18:123:23 | call to getenv | user input (getenv) |
| test.cpp:127:24:127:41 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:123:18:123:23 | call to getenv | user input (getenv) |
| test.cpp:134:3:134:8 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) |
| test.cpp:134:10:134:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) |
| test.cpp:142:4:142:9 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:138:19:138:24 | call to getenv | user input (getenv) |
| test.cpp:142:11:142:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:138:19:138:24 | call to getenv | user input (getenv) |
| test.cpp:169:4:169:9 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:165:19:165:24 | call to getenv | user input (getenv) |
| test.cpp:169:11:169:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:165:19:165:24 | call to getenv | user input (getenv) |

64
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
View File

@@ -126,3 +126,67 @@ void open_file_bounded () {
int* a = (int*)malloc(bounded_size * sizeof(int)); // GOOD
int* b = (int*)malloc(size * sizeof(int)); // BAD
}
void more_bounded_tests() {
{
int size = atoi(getenv("USER"));
malloc(size * sizeof(int)); // BAD
}
{
int size = atoi(getenv("USER"));
if (size > 0)
{
malloc(size * sizeof(int)); // BAD
}
}
{
int size = atoi(getenv("USER"));
if (size < 100)
{
malloc(size * sizeof(int)); // BAD [NOT DETECTED]
}
}
{
int size = atoi(getenv("USER"));
if ((size > 0) && (size < 100))
{
malloc(size * sizeof(int)); // GOOD
}
}
{
int size = atoi(getenv("USER"));
if ((100 > size) && (0 < size))
{
malloc(size * sizeof(int)); // GOOD [FALSE POSITIVE]
}
}
{
int size = atoi(getenv("USER"));
malloc(size * sizeof(int)); // BAD [NOT DETECTED]
if ((size > 0) && (size < 100))
{
// ...
}
}
{
int size = atoi(getenv("USER"));
if (size > 100)
{
malloc(size * sizeof(int)); // BAD [NOT DETECTED]
}
}
}