hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15117 from jketema/buffer

Browse Source 
C++: Only consider the maximum buffer size for badly bounded write
This commit is contained in:
Jeroen Ketema
2023-12-15 13:46:09 +01:00
committed by GitHub
parent 1ea1130271 0b1b1be356
commit 3977689808
4 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
View File

@@ -24,7 +24,7 @@ import semmle.code.cpp.security.BufferWrite
from BufferWrite bw, int destSize
where
bw.hasExplicitLimit() and // has an explicit size limit
destSize = getBufferSize(bw.getDest(), _) and
destSize = max(getBufferSize(bw.getDest(), _)) and
bw.getExplicitLimit() > destSize // but it's larger than the destination
select bw,
"This '" + bw.getBWDesc() + "' operation is limited to " + bw.getExplicitLimit() +

4
cpp/ql/src/change-notes/2023-12-15-badly-bounded-write.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The `cpp/badly-bounded-write` query could report false positives when a pointer was first initialized with a literal and later assigned a dynamically allocated array. These false positives now no longer occur.

2
cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/BadlyBoundedWrite.expected
View File

@@ -1,4 +1,2 @@
| tests2.cpp:59:3:59:10 | call to snprintf | This 'call to snprintf' operation is limited to 13 bytes but the destination is only 2 bytes. |
| tests2.cpp:63:3:63:10 | call to snprintf | This 'call to snprintf' operation is limited to 13 bytes but the destination is only 3 bytes. |
| tests.c:43:3:43:10 | call to snprintf | This 'call to snprintf' operation is limited to 111 bytes but the destination is only 110 bytes. |
| tests.c:46:3:46:10 | call to snprintf | This 'call to snprintf' operation is limited to 111 bytes but the destination is only 110 bytes. |

4
cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests2.cpp
View File

@@ -56,9 +56,9 @@ void test3() {
dest1 = (char*)malloc(sizeof(src));
if (!dest1)
return;
snprintf(dest1, sizeof(src), "%s", src); // GOOD [FALSE POSITIVE]
snprintf(dest1, sizeof(src), "%s", src); // GOOD
dest2 = (char*)malloc(3);
if (!dest2)
return;
snprintf(dest2, sizeof(src), "%s", src); // BAD (but with duplicate alerts)
snprintf(dest2, sizeof(src), "%s", src); // BAD [NOT DETECTED]
}