hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

CPP: Queries: Improve OverflowCalculated query.

Browse Source
This commit is contained in:
Geoffrey White
2019-11-22 14:02:16 +00:00
parent 1e7bd9e987
commit 3c9432d7b7
4 changed files with 7 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
cpp/ql/src/Critical/OverflowCalculated.ql
View File

@@ -12,20 +12,13 @@
import cpp
import semmle.code.cpp.dataflow.DataFlow
class MallocCall extends FunctionCall {
MallocCall() { this.getTarget().hasGlobalOrStdName("malloc") }
Expr getAllocatedSize() {
result = this.getArgument(0)
}
}
import semmle.code.cpp.models.interfaces.Allocation
predicate spaceProblem(FunctionCall append, string msg) {
exists(MallocCall malloc, StrlenCall strlen, AddExpr add, FunctionCall insert, Variable buffer |
exists(AllocationExpr malloc, StrlenCall strlen, AddExpr add, FunctionCall insert, Variable buffer |
add.getAChild() = strlen and
exists(add.getAChild().getValue()) and
DataFlow::localExprFlow(add, malloc.getAllocatedSize()) and
DataFlow::localExprFlow(add, malloc.getSizeExpr()) and
buffer.getAnAccess() = strlen.getStringExpr() and
(
insert.getTarget().hasGlobalOrStdName("strcpy") or

2
cpp/ql/test/query-tests/Critical/OverflowCalculated/NoSpaceForZeroTerminator.expected
View File

@@ -1,5 +1,7 @@
| tests1.cpp:26:21:26:26 | call to malloc | This allocation does not include space to null-terminate the string. |
| tests1.cpp:56:21:56:27 | call to realloc | This allocation does not include space to null-terminate the string. |
| tests1.cpp:67:21:67:26 | call to malloc | This allocation does not include space to null-terminate the string. |
| tests1.cpp:89:25:89:30 | call to malloc | This allocation does not include space to null-terminate the string. |
| tests3.cpp:25:21:25:31 | call to malloc | This allocation does not include space to null-terminate the string. |
| tests3.cpp:30:21:30:31 | call to malloc | This allocation does not include space to null-terminate the string. |
| tests3.cpp:53:17:53:44 | new[] | This allocation does not include space to null-terminate the string. |

2
cpp/ql/test/query-tests/Critical/OverflowCalculated/tests1.cpp
View File

@@ -53,7 +53,7 @@ void tests1(int case_num)
break;
case 7:
buffer = (char *)realloc(buffer, strlen(str)); // BAD [NOT DETECTED]
buffer = (char *)realloc(buffer, strlen(str)); // BAD
strcpy(buffer, str);
break;

2
cpp/ql/test/query-tests/Critical/OverflowCalculated/tests3.cpp
View File

@@ -50,7 +50,7 @@ void tests3(int case_num)
void test3b()
{
char *buffer = new char[strlen(str3global)]; // BAD [NOT DETECTED]
char *buffer = new char[strlen(str3global)]; // BAD
strcpy(buffer, str3global);