Merge pull request #1535 from geoffw0/nospacezero

CPP: Fix false positives from NoSpaceForZeroTerminator.ql
2026-05-03 04:39:29 +02:00 · 2019-07-04 22:36:04 +02:00
parent 8c733fd58d 1fd08f4e47
commit 2f8787379a
3 changed files with 22 additions and 0 deletions
--- a/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+++ b/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
@@ -14,6 +14,8 @@
 *       external/cwe/cwe-122
 */
 import cpp
+import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.models.implementations.Memcpy

 class MallocCall extends FunctionCall
 {
@@ -34,6 +36,13 @@ class MallocCall extends FunctionCall

 predicate terminationProblem(MallocCall malloc, string msg) {
  malloc.getAllocatedSize() instanceof StrlenCall and
+  not exists(DataFlow::Node def, DataFlow::Node use, FunctionCall fc, MemcpyFunction memcpy, int ix |
+    DataFlow::localFlow(def, use) and
+    def.asExpr() = malloc and
+    fc.getTarget() = memcpy and
+    memcpy.hasArrayOutput(ix) and
+    use.asExpr() = fc.getArgument(ix)
+  ) and
  msg = "This allocation does not include space to null-terminate the string."
 }

--- a/cpp/ql/test/query-tests/Security/CWE/CWE-131/semmle/NoSpaceForZeroTerminator/test.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-131/semmle/NoSpaceForZeroTerminator/test.c
@@ -63,3 +63,15 @@ void good3(char *str) {
    char *buffer = malloc((strlen(str) + 1) * sizeof(char));
    free(buffer);
 }
+
+void *memcpy(void *s1, const void *s2, size_t n);
+
+void good4(char *str) {
+	// GOOD -- allocating a non zero-terminated string
+	int len = strlen(str);
+	char *buffer = malloc(len);
+
+	memcpy(buffer, str, len);
+
+	free(buffer);
+}