hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 21:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Model strdupa and strndupa string functions returning memory allocated with alloca

Browse Source
This commit is contained in:
Anders Fugmann
2021-08-18 13:00:07 +02:00
parent 21d03cd365
commit 44752d5ee0
4 changed files with 43 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
cpp/ql/lib/semmle/code/cpp/models/implementations/Strdup.qll
View File

@@ -16,6 +16,7 @@ private class StrdupFunction extends AllocationFunction, ArrayFunction, DataFlow
hasGlobalName([
// --- C library allocation
"strdup", // strdup(str)
"strdupa", // strdupa(str) - returns stack allocated buffer
"wcsdup", // wcsdup(str)
"_strdup", // _strdup(str)
"_wcsdup", // _wcsdup(str)
@@ -31,6 +32,8 @@ private class StrdupFunction extends AllocationFunction, ArrayFunction, DataFlow
input.isParameterDeref(0) and
output.isReturnValueDeref()
}
override predicate requiresDealloc() { not hasGlobalName("strdupa") }
}
/**
@@ -38,11 +41,11 @@ private class StrdupFunction extends AllocationFunction, ArrayFunction, DataFlow
*/
private class StrndupFunction extends AllocationFunction, ArrayFunction, DataFlowFunction {
StrndupFunction() {
exists(string name |
hasGlobalName(name) and
// --- C library allocation
name = "strndup" // strndup(str, maxlen)
)
hasGlobalName([
// -- C library allocation
"strndup", // strndup(str, maxlen)
"strndupa" // strndupa(str, maxlen) -- returns stack allocated buffer
])
}
override predicate hasArrayInput(int bufParam) { bufParam = 0 }
@@ -56,4 +59,6 @@ private class StrndupFunction extends AllocationFunction, ArrayFunction, DataFlo
) and
output.isReturnValueDeref()
}
override predicate requiresDealloc() { not hasGlobalName("strndupa") }
}