diff --git a/cpp/ql/src/Critical/OverflowCalculated.ql b/cpp/ql/src/Critical/OverflowCalculated.ql index 11e85b0d916..1fa1ba04c17 100644 --- a/cpp/ql/src/Critical/OverflowCalculated.ql +++ b/cpp/ql/src/Critical/OverflowCalculated.ql @@ -12,20 +12,13 @@ import cpp import semmle.code.cpp.dataflow.DataFlow - -class MallocCall extends FunctionCall { - MallocCall() { this.getTarget().hasGlobalOrStdName("malloc") } - - Expr getAllocatedSize() { - result = this.getArgument(0) - } -} +import semmle.code.cpp.models.interfaces.Allocation predicate spaceProblem(FunctionCall append, string msg) { - exists(MallocCall malloc, StrlenCall strlen, AddExpr add, FunctionCall insert, Variable buffer | + exists(AllocationExpr malloc, StrlenCall strlen, AddExpr add, FunctionCall insert, Variable buffer | add.getAChild() = strlen and exists(add.getAChild().getValue()) and - DataFlow::localExprFlow(add, malloc.getAllocatedSize()) and + DataFlow::localExprFlow(add, malloc.getSizeExpr()) and buffer.getAnAccess() = strlen.getStringExpr() and ( insert.getTarget().hasGlobalOrStdName("strcpy") or diff --git a/cpp/ql/test/query-tests/Critical/OverflowCalculated/NoSpaceForZeroTerminator.expected b/cpp/ql/test/query-tests/Critical/OverflowCalculated/NoSpaceForZeroTerminator.expected index defdbece639..e106945ffb5 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowCalculated/NoSpaceForZeroTerminator.expected +++ b/cpp/ql/test/query-tests/Critical/OverflowCalculated/NoSpaceForZeroTerminator.expected @@ -1,5 +1,7 @@ | tests1.cpp:26:21:26:26 | call to malloc | This allocation does not include space to null-terminate the string. | +| tests1.cpp:56:21:56:27 | call to realloc | This allocation does not include space to null-terminate the string. | | tests1.cpp:67:21:67:26 | call to malloc | This allocation does not include space to null-terminate the string. | | tests1.cpp:89:25:89:30 | call to malloc | This allocation does not include space to null-terminate the string. | | tests3.cpp:25:21:25:31 | call to malloc | This allocation does not include space to null-terminate the string. | | tests3.cpp:30:21:30:31 | call to malloc | This allocation does not include space to null-terminate the string. | +| tests3.cpp:53:17:53:44 | new[] | This allocation does not include space to null-terminate the string. | diff --git a/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests1.cpp b/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests1.cpp index e10ab8069a6..ce660ed0de8 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests1.cpp +++ b/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests1.cpp @@ -53,7 +53,7 @@ void tests1(int case_num) break; case 7: - buffer = (char *)realloc(buffer, strlen(str)); // BAD [NOT DETECTED] + buffer = (char *)realloc(buffer, strlen(str)); // BAD strcpy(buffer, str); break; diff --git a/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests3.cpp b/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests3.cpp index 79520735901..051f6b33204 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests3.cpp +++ b/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests3.cpp @@ -50,7 +50,7 @@ void tests3(int case_num) void test3b() { - char *buffer = new char[strlen(str3global)]; // BAD [NOT DETECTED] + char *buffer = new char[strlen(str3global)]; // BAD strcpy(buffer, str3global);