hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Simplify field conflation test

Browse Source 
It turned out the `memcpy` step was not even necessary.
This commit is contained in:
Jonas Jensen
2020-05-19 13:39:21 +02:00
parent 6f03a0bc39
commit 486f06ab18
5 changed files with 26 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
View File

@@ -1,7 +1,7 @@
edges
| field_conflation.c:12:22:12:27 | call to getenv | field_conflation.c:13:10:13:25 | Chi |
| field_conflation.c:12:22:12:34 | (const char *)... | field_conflation.c:13:10:13:25 | Chi |
| field_conflation.c:13:10:13:25 | Chi | field_conflation.c:19:15:19:17 | taint_array output argument |
| field_conflation.c:12:22:12:27 | call to getenv | field_conflation.c:13:3:13:18 | Chi |
| field_conflation.c:12:22:12:34 | (const char *)... | field_conflation.c:13:3:13:18 | Chi |
| field_conflation.c:13:3:13:18 | Chi | field_conflation.c:19:15:19:17 | taint_array output argument |
| field_conflation.c:19:15:19:17 | taint_array output argument | field_conflation.c:20:10:20:13 | (unsigned long)... |
| field_conflation.c:19:15:19:17 | taint_array output argument | field_conflation.c:20:13:20:13 | x |
| field_conflation.c:19:15:19:17 | taint_array output argument | field_conflation.c:20:13:20:13 | x |
@@ -71,7 +71,7 @@ edges
nodes
| field_conflation.c:12:22:12:27 | call to getenv | semmle.label | call to getenv |
| field_conflation.c:12:22:12:34 | (const char *)... | semmle.label | (const char *)... |
| field_conflation.c:13:10:13:25 | Chi | semmle.label | Chi |
| field_conflation.c:13:3:13:18 | Chi | semmle.label | Chi |
| field_conflation.c:19:15:19:17 | taint_array output argument | semmle.label | taint_array output argument |
| field_conflation.c:20:10:20:13 | (unsigned long)... | semmle.label | (unsigned long)... |
| field_conflation.c:20:10:20:13 | (unsigned long)... | semmle.label | (unsigned long)... |

20
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/field_conflation.c
View File

@@ -1,21 +1,21 @@
int atoi(const char *nptr);
void *malloc(unsigned long size);
char *getenv(const char *name);
void *memcpy(void *dst, void *src, unsigned long size);
struct ContainsArray {
int arr[16];
struct XY {
int x;
int y;
};
void taint_array(struct ContainsArray *ca, int offset) {
void taint_array(struct XY *xyp) {
int tainted = atoi(getenv("VAR"));
memcpy(ca->arr + offset, &tainted, sizeof(int));
xyp->y = tainted;
}
void test_conflated_fields3(int arbitrary) {
struct ContainsArray ca;
ca.x = 4;
taint_array(&ca, arbitrary);
malloc(ca.x); // not tainted [FALSE POSITIVE]
void test_conflated_fields3(void) {
struct XY xy;
xy.x = 4;
taint_array(&xy);
malloc(xy.x); // not tainted [FALSE POSITIVE]
}