C++: Add cpp/invalid-pointer-deref false positives

2026-04-27 17:55:19 +02:00 · 2023-05-22 14:34:59 +02:00
parent 05c30e8fac
commit 3f289b1c99
2 changed files with 43 additions and 0 deletions
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
@@ -653,6 +653,31 @@ edges
 | test.cpp:304:15:304:26 | new[] | test.cpp:308:5:308:6 | xs |
 | test.cpp:308:5:308:6 | xs | test.cpp:308:5:308:11 | access to array |
 | test.cpp:308:5:308:11 | access to array | test.cpp:308:5:308:29 | Store: ... = ... |
+| test.cpp:313:16:313:29 | new[] | test.cpp:314:17:314:18 | xs |
+| test.cpp:314:17:314:18 | xs | test.cpp:314:17:314:25 | ... + ... |
+| test.cpp:314:17:314:18 | xs | test.cpp:314:17:314:25 | ... + ... |
+| test.cpp:314:17:314:18 | xs | test.cpp:318:13:318:20 | * ... |
+| test.cpp:314:17:314:25 | ... + ... | test.cpp:318:14:318:20 | current |
+| test.cpp:314:17:314:25 | ... + ... | test.cpp:318:14:318:20 | current |
+| test.cpp:314:17:314:25 | ... + ... | test.cpp:320:13:320:20 | * ... |
+| test.cpp:314:17:314:25 | ... + ... | test.cpp:320:13:320:20 | * ... |
+| test.cpp:314:17:314:25 | ... + ... | test.cpp:320:14:320:20 | current |
+| test.cpp:314:17:314:25 | ... + ... | test.cpp:320:14:320:20 | current |
+| test.cpp:318:13:318:20 | * ... | test.cpp:318:14:318:20 | current |
+| test.cpp:318:13:318:20 | * ... | test.cpp:320:13:320:20 | * ... |
+| test.cpp:318:13:318:20 | * ... | test.cpp:320:14:320:20 | current |
+| test.cpp:318:14:318:20 | current | test.cpp:314:17:314:25 | Store: ... + ... |
+| test.cpp:318:14:318:20 | current | test.cpp:318:13:318:20 | Load: * ... |
+| test.cpp:318:14:318:20 | current | test.cpp:320:10:320:21 | Store: -- ... |
+| test.cpp:318:14:318:20 | current | test.cpp:320:12:320:21 | Load: (...) |
+| test.cpp:320:13:320:20 | * ... | test.cpp:314:17:314:25 | Store: ... + ... |
+| test.cpp:320:13:320:20 | * ... | test.cpp:318:13:318:20 | Load: * ... |
+| test.cpp:320:13:320:20 | * ... | test.cpp:320:10:320:21 | Store: -- ... |
+| test.cpp:320:13:320:20 | * ... | test.cpp:320:12:320:21 | Load: (...) |
+| test.cpp:320:14:320:20 | current | test.cpp:314:17:314:25 | Store: ... + ... |
+| test.cpp:320:14:320:20 | current | test.cpp:318:13:318:20 | Load: * ... |
+| test.cpp:320:14:320:20 | current | test.cpp:320:10:320:21 | Store: -- ... |
+| test.cpp:320:14:320:20 | current | test.cpp:320:12:320:21 | Load: (...) |
 subpaths
 #select
 | test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
@@ -678,3 +703,7 @@ subpaths
 | test.cpp:264:13:264:14 | Load: * ... | test.cpp:260:13:260:24 | new[] | test.cpp:264:13:264:14 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:260:13:260:24 | new[] | new[] | test.cpp:261:19:261:21 | len | len |
 | test.cpp:274:5:274:10 | Store: ... = ... | test.cpp:270:13:270:24 | new[] | test.cpp:274:5:274:10 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:270:13:270:24 | new[] | new[] | test.cpp:271:19:271:21 | len | len |
 | test.cpp:308:5:308:29 | Store: ... = ... | test.cpp:304:15:304:26 | new[] | test.cpp:308:5:308:29 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:304:15:304:26 | new[] | new[] | test.cpp:308:8:308:10 | ... + ... | ... + ... |
+| test.cpp:314:17:314:25 | Store: ... + ... | test.cpp:313:16:313:29 | new[] | test.cpp:314:17:314:25 | Store: ... + ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:313:16:313:29 | new[] | new[] | test.cpp:314:22:314:25 | size | size |
+| test.cpp:318:13:318:20 | Load: * ... | test.cpp:313:16:313:29 | new[] | test.cpp:318:13:318:20 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:313:16:313:29 | new[] | new[] | test.cpp:314:22:314:25 | size | size |
+| test.cpp:320:10:320:21 | Store: -- ... | test.cpp:313:16:313:29 | new[] | test.cpp:320:10:320:21 | Store: -- ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:313:16:313:29 | new[] | new[] | test.cpp:314:22:314:25 | size | size |
+| test.cpp:320:12:320:21 | Load: (...) | test.cpp:313:16:313:29 | new[] | test.cpp:320:12:320:21 | Load: (...) | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:313:16:313:29 | new[] | new[] | test.cpp:314:22:314:25 | size | size |
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
@@ -308,3 +308,17 @@ void test21() {
    xs[i+1] = test21_get(i+1); // GOOD [FALSE POSITIVE]
  }
 }
+
+void test22(unsigned size, int val) {
+    char *xs = new char[size];
+    char *end = xs + size; // GOOD [FALSE POSITIVE]
+    char **current = &end;
+    do
+    {
+        if( *current - xs < 1 ) // GOOD [FALSE POSITIVE]
+            return;
+        *--(*current) = 0; // GOOD [FALSE POSITIVE]
+        val >>= 8;
+    }
+    while( val > 0 );
+}