C++: Remove the implicit assumption about the existence of a lower bound implying the existence of an upper bound (and vice veraa).

2026-05-04 13:15:21 +02:00 · 2021-11-15 13:39:15 +00:00
parent 63f50a9eb7
commit 3f0bfe1d75
1 changed files with 9 additions and 6 deletions
--- a/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
@@ -1069,22 +1069,25 @@ class FormatLiteral extends Literal {
            or
            // The second case uses range analysis to deduce a length that's shorter than the length
            // of the number -2^31.
-            exists(Expr arg, float lower |
+            exists(Expr arg, float lower, float upper |
              arg = this.getUse().getConversionArgument(n) and
-              lower = lowerBound(arg.getFullyConverted())
+              lower = lowerBound(arg.getFullyConverted()) and
+              upper = upperBound(arg.getFullyConverted())
            |
              cand =
                max(int cand0 |
+                  // Include the sign bit in the length if it can be negative
                  (
-                    // Include the sign bit in the length of `lower` if it can be negative
                    if lower < 0
                    then cand0 = 1 + lengthInBase10(lower.abs())
                    else cand0 = lengthInBase10(lower)
                  )
                  or
-                  // We don't care about the sign of `upper`: if `upper` is negative, then we know
-                  // `lower` is also (possibly more) negative, and thus its length will be greater.
-                  cand0 = lengthInBase10(upperBound(arg.getFullyConverted()))
+                  (
+                    if upper < 0
+                    then cand0 = 1 + lengthInBase10(upper.abs())
+                    else cand0 = lengthInBase10(upper)
+                  )
                )
            )
          )