C++: Explore negative indices more in tests.

2025-12-16 16:53:25 +01:00 · 2025-02-24 10:36:43 +00:00
parent 90758b37ef
commit 3681ace746
3 changed files with 57 additions and 12 deletions
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected
@@ -100,6 +100,11 @@
 | tests.cpp:938:2:938:17 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:906:11:906:12 | xs | array |
 | tests.cpp:940:2:940:17 | access to array | This array indexing operation accesses byte offset 399 but the $@ is only 40 bytes. | tests.cpp:906:11:906:12 | xs | array |
 | tests.cpp:941:2:941:18 | access to array | This array indexing operation accesses byte offset 403 but the $@ is only 40 bytes. | tests.cpp:906:11:906:12 | xs | array |
+| tests.cpp:984:2:984:9 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:981:6:981:8 | arr | array |
+| tests.cpp:989:2:989:9 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:981:6:981:8 | arr | array |
+| tests.cpp:994:2:994:9 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:981:6:981:8 | arr | array |
+| tests.cpp:1001:2:1001:9 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:981:6:981:8 | arr | array |
+| tests.cpp:1009:2:1009:9 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:981:6:981:8 | arr | array |
 | tests_restrict.c:12:2:12:7 | call to memcpy | This 'memcpy' operation accesses 2 bytes but the $@ is only 1 byte. | tests_restrict.c:7:6:7:13 | smallbuf | source buffer |
 | unions.cpp:26:2:26:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:21:10:21:11 | mu | destination buffer |
 | unions.cpp:30:2:30:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:15:7:15:11 | small | destination buffer |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected
@@ -27,8 +27,8 @@ edges
 | main.cpp:9:29:9:32 | *argv | tests_restrict.c:15:41:15:44 | *argv | provenance |  |
 | main.cpp:9:29:9:32 | tests_restrict_main output argument | main.cpp:10:20:10:23 | **argv | provenance |  |
 | main.cpp:9:29:9:32 | tests_restrict_main output argument | main.cpp:10:20:10:23 | *argv | provenance |  |
-| main.cpp:10:20:10:23 | **argv | tests.cpp:978:32:978:35 | **argv | provenance |  |
-| main.cpp:10:20:10:23 | *argv | tests.cpp:978:32:978:35 | *argv | provenance |  |
+| main.cpp:10:20:10:23 | **argv | tests.cpp:1017:32:1017:35 | **argv | provenance |  |
+| main.cpp:10:20:10:23 | *argv | tests.cpp:1017:32:1017:35 | *argv | provenance |  |
 | overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | provenance |  |
 | overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:23:45:23:48 | *argv | provenance |  |
 | test_buffer_overrun.cpp:32:46:32:49 | **argv | test_buffer_overrun.cpp:32:46:32:49 | **argv | provenance |  |
@@ -41,12 +41,12 @@ edges
 | tests.cpp:649:14:649:14 | *s [*home] | tests.cpp:649:14:649:19 | *home | provenance |  |
 | tests.cpp:649:14:649:14 | *s [*home] | tests.cpp:649:16:649:19 | *home | provenance |  |
 | tests.cpp:649:16:649:19 | *home | tests.cpp:649:14:649:19 | *home | provenance |  |
-| tests.cpp:978:32:978:35 | **argv | tests.cpp:1003:9:1003:15 | *access to array | provenance |  |
-| tests.cpp:978:32:978:35 | **argv | tests.cpp:1004:9:1004:15 | *access to array | provenance |  |
-| tests.cpp:978:32:978:35 | *argv | tests.cpp:1003:9:1003:15 | *access to array | provenance |  |
-| tests.cpp:978:32:978:35 | *argv | tests.cpp:1004:9:1004:15 | *access to array | provenance |  |
-| tests.cpp:1003:9:1003:15 | *access to array | tests.cpp:634:19:634:24 | *source | provenance |  |
-| tests.cpp:1004:9:1004:15 | *access to array | tests.cpp:643:19:643:24 | *source | provenance |  |
+| tests.cpp:1017:32:1017:35 | **argv | tests.cpp:1042:9:1042:15 | *access to array | provenance |  |
+| tests.cpp:1017:32:1017:35 | **argv | tests.cpp:1043:9:1043:15 | *access to array | provenance |  |
+| tests.cpp:1017:32:1017:35 | *argv | tests.cpp:1042:9:1042:15 | *access to array | provenance |  |
+| tests.cpp:1017:32:1017:35 | *argv | tests.cpp:1043:9:1043:15 | *access to array | provenance |  |
+| tests.cpp:1042:9:1042:15 | *access to array | tests.cpp:634:19:634:24 | *source | provenance |  |
+| tests.cpp:1043:9:1043:15 | *access to array | tests.cpp:643:19:643:24 | *source | provenance |  |
 | tests_restrict.c:15:41:15:44 | **argv | tests_restrict.c:15:41:15:44 | **argv | provenance |  |
 | tests_restrict.c:15:41:15:44 | *argv | tests_restrict.c:15:41:15:44 | *argv | provenance |  |
 nodes
@@ -80,10 +80,10 @@ nodes
 | tests.cpp:649:14:649:14 | *s [*home] | semmle.label | *s [*home] |
 | tests.cpp:649:14:649:19 | *home | semmle.label | *home |
 | tests.cpp:649:16:649:19 | *home | semmle.label | *home |
-| tests.cpp:978:32:978:35 | **argv | semmle.label | **argv |
-| tests.cpp:978:32:978:35 | *argv | semmle.label | *argv |
-| tests.cpp:1003:9:1003:15 | *access to array | semmle.label | *access to array |
-| tests.cpp:1004:9:1004:15 | *access to array | semmle.label | *access to array |
+| tests.cpp:1017:32:1017:35 | **argv | semmle.label | **argv |
+| tests.cpp:1017:32:1017:35 | *argv | semmle.label | *argv |
+| tests.cpp:1042:9:1042:15 | *access to array | semmle.label | *access to array |
+| tests.cpp:1043:9:1043:15 | *access to array | semmle.label | *access to array |
 | tests_restrict.c:15:41:15:44 | **argv | semmle.label | **argv |
 | tests_restrict.c:15:41:15:44 | **argv | semmle.label | **argv |
 | tests_restrict.c:15:41:15:44 | *argv | semmle.label | *argv |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
@@ -975,6 +975,45 @@ void test27(size_t s) {
 	}
 }

+bool cond();
+
+void test28() {
+	int arr[10];
+
+	int *ptr1 = arr;
+	ptr1[-1] = 0; // BAD: underrun write
+	ptr1++;
+	ptr1[-1] = 0; // GOOD
+
+	int *ptr2 = arr;
+	ptr2[-1] = 0; // BAD: underrun write
+	*ptr2++;
+	ptr2[-1] = 0; // GOOD
+
+	int *ptr3 = arr;
+	ptr3[-1] = 0; // BAD: underrun write
+	if (cond()) {
+		ptr3++;
+	}
+	ptr3[-1] = 0; // GOOD (depending what cond() does)
+
+	int *ptr4 = arr;
+	ptr4[-1] = 0; // BAD: underrun write
+	while (true) {
+		ptr4++;
+		if (cond()) break;
+	}
+	ptr4[-1] = 0; // GOOD
+
+	int *ptr5 = arr;
+	ptr5[-1] = 0; // BAD: underrun write
+	while (true) {
+		if (cond()) ptr5++;
+		if (cond()) break;
+	}
+	ptr5[-1] = 0; // GOOD (depending what cond() does)
+}
+
 int tests_main(int argc, char *argv[])
 {
 	long long arr17[19];
@@ -1004,6 +1043,7 @@ int tests_main(int argc, char *argv[])
 	test25(argv[0]);
 	test26();
 	test27(argc);
+	test28();

 	return 0;
 }