hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 02:44:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Add some query tests.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2024-03-13 11:39:34 +00:00
parent bcd36b1994
commit 3ea39a2553
5 changed files with 31 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected
View File

@@ -11,6 +11,7 @@ edges
| test_free.cpp:128:10:128:11 | pointer to free output argument | test_free.cpp:129:10:129:11 | * ... | provenance | |
| test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:154:10:154:10 | a | provenance | |
| test_free.cpp:207:10:207:10 | pointer to free output argument | test_free.cpp:209:10:209:10 | a | provenance | |
| test_free.cpp:301:12:301:14 | pointer to g_free output argument | test_free.cpp:302:12:302:14 | buf | provenance | |
nodes
| test_free.cpp:11:10:11:10 | pointer to free output argument | semmle.label | pointer to free output argument |
| test_free.cpp:14:10:14:10 | a | semmle.label | a |
@@ -36,6 +37,8 @@ nodes
| test_free.cpp:154:10:154:10 | a | semmle.label | a |
| test_free.cpp:207:10:207:10 | pointer to free output argument | semmle.label | pointer to free output argument |
| test_free.cpp:209:10:209:10 | a | semmle.label | a |
| test_free.cpp:301:12:301:14 | pointer to g_free output argument | semmle.label | pointer to g_free output argument |
| test_free.cpp:302:12:302:14 | buf | semmle.label | buf |
subpaths
#select
| test_free.cpp:14:10:14:10 | a | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:14:10:14:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
@@ -50,3 +53,4 @@ subpaths
| test_free.cpp:129:10:129:11 | * ... | test_free.cpp:128:10:128:11 | pointer to free output argument | test_free.cpp:129:10:129:11 | * ... | Memory pointed to by '* ...' may already have been freed by $@. | test_free.cpp:128:5:128:8 | call to free | call to free |
| test_free.cpp:154:10:154:10 | a | test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:154:10:154:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free |
| test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | pointer to free output argument | test_free.cpp:209:10:209:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:207:5:207:8 | call to free | call to free |
| test_free.cpp:302:12:302:14 | buf | test_free.cpp:301:12:301:14 | pointer to g_free output argument | test_free.cpp:302:12:302:14 | buf | Memory pointed to by 'buf' may already have been freed by $@. | test_free.cpp:301:5:301:10 | call to g_free | call to g_free |

2
cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryFreed.expected
View File

@@ -102,6 +102,8 @@
| test_free.cpp:282:10:282:12 | buf |
| test_free.cpp:288:8:288:10 | buf |
| test_free.cpp:293:8:293:10 | buf |
| test_free.cpp:301:12:301:14 | buf |
| test_free.cpp:302:12:302:14 | buf |
| virtual.cpp:18:10:18:10 | a |
| virtual.cpp:19:10:19:10 | c |
| virtual.cpp:38:10:38:10 | b |

7
cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp
View File

@@ -294,3 +294,10 @@ void test_free_struct4(char* buf, MyStruct s) {
s.buf = buf;
char c = s.buf[0]; // BAD
}
void g_free (void*);
void test_g_free(char* buf) {
g_free(buf);
g_free(buf); // BAD
}

9
cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.expected
View File

@@ -101,6 +101,10 @@ edges
| test.cpp:857:16:857:29 | ... + ... | test.cpp:857:16:857:29 | ... + ... | provenance | |
| test.cpp:857:16:857:29 | ... + ... | test.cpp:860:5:860:11 | ... = ... | provenance | |
| test.cpp:857:16:857:29 | ... + ... | test.cpp:860:5:860:11 | ... = ... | provenance | |
| test.cpp:868:15:868:35 | call to g_malloc | test.cpp:869:15:869:22 | ... + ... | provenance | |
| test.cpp:869:15:869:22 | ... + ... | test.cpp:869:15:869:22 | ... + ... | provenance | |
| test.cpp:869:15:869:22 | ... + ... | test.cpp:870:14:870:15 | * ... | provenance | |
| test.cpp:869:15:869:22 | ... + ... | test.cpp:870:14:870:15 | * ... | provenance | |
nodes
| test.cpp:4:15:4:33 | call to malloc | semmle.label | call to malloc |
| test.cpp:5:15:5:22 | ... + ... | semmle.label | ... + ... |
@@ -198,6 +202,10 @@ nodes
| test.cpp:857:16:857:29 | ... + ... | semmle.label | ... + ... |
| test.cpp:857:16:857:29 | ... + ... | semmle.label | ... + ... |
| test.cpp:860:5:860:11 | ... = ... | semmle.label | ... = ... |
| test.cpp:868:15:868:35 | call to g_malloc | semmle.label | call to g_malloc |
| test.cpp:869:15:869:22 | ... + ... | semmle.label | ... + ... |
| test.cpp:869:15:869:22 | ... + ... | semmle.label | ... + ... |
| test.cpp:870:14:870:15 | * ... | semmle.label | * ... |
subpaths
#select
| test.cpp:6:14:6:15 | * ... | test.cpp:4:15:4:33 | call to malloc | test.cpp:6:14:6:15 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:33 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
@@ -231,3 +239,4 @@ subpaths
| test.cpp:842:3:842:20 | ... = ... | test.cpp:841:18:841:35 | call to malloc | test.cpp:842:3:842:20 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:841:18:841:35 | call to malloc | call to malloc | test.cpp:842:11:842:15 | index | index |
| test.cpp:849:5:849:22 | ... = ... | test.cpp:848:20:848:37 | call to malloc | test.cpp:849:5:849:22 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:848:20:848:37 | call to malloc | call to malloc | test.cpp:849:13:849:17 | index | index |
| test.cpp:860:5:860:11 | ... = ... | test.cpp:856:12:856:35 | call to malloc | test.cpp:860:5:860:11 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:856:12:856:35 | call to malloc | call to malloc | test.cpp:857:21:857:28 | ... + ... | ... + ... |
| test.cpp:870:14:870:15 | * ... | test.cpp:868:15:868:35 | call to g_malloc | test.cpp:870:14:870:15 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:868:15:868:35 | call to g_malloc | call to g_malloc | test.cpp:869:19:869:22 | size | size |

9
cpp/ql/test/query-tests/Security/CWE/CWE-193/test.cpp
View File

@@ -860,3 +860,12 @@ void test_regression(size_t size) {
*p = 42; // $ deref=L857->L860 // BAD
}
}
void* g_malloc(size_t size);
void test17(int size) {
char* p = (char*)g_malloc(size);
char* q = p + size; // $ alloc=L868
char a = *q; // $ deref=L869->L870 // BAD
}