C++: Add more dataflow cases to replace the loss.

2026-05-05 05:35:13 +02:00 · 2021-04-13 14:50:13 +01:00
parent b0ad927fdd
commit 4879104568
2 changed files with 19 additions and 5 deletions
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -34,7 +34,7 @@ predicate isGuarded(SubExpr sub, Expr left, Expr right) {
 * Holds if `e` is known or suspected to be less than or equal to
 * `sub.getLeftOperand()`.
 */
-predicate exprIsSubLeftOrLess(SubExpr sub, Expr e) {
+predicate exprIsSubLeftOrLess(SubExpr sub, Element e) {
  e = sub.getLeftOperand()
  or
  exists(Expr other |
@@ -46,6 +46,24 @@ predicate exprIsSubLeftOrLess(SubExpr sub, Expr e) {
    )
  )
  or
+  exists(Element other |
+    // dataflow (via parameter)
+    exprIsSubLeftOrLess(sub, other) and
+    (
+      DataFlow::localFlowStep(DataFlow::parameterNode(e), DataFlow::exprNode(other)) or
+      DataFlow::localFlowStep(DataFlow::parameterNode(other), DataFlow::exprNode(e))
+    )
+  )
+  or
+  exists(Element other |
+    // dataflow (via uninitialized)
+    exprIsSubLeftOrLess(sub, other) and
+    (
+      DataFlow::localFlowStep(DataFlow::uninitializedNode(e), DataFlow::exprNode(other)) or
+      DataFlow::localFlowStep(DataFlow::uninitializedNode(other), DataFlow::exprNode(e))
+    )
+  )
+  or
  exists(Expr other |
    // guard constraining `sub`
    exprIsSubLeftOrLess(sub, other) and
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
@@ -1,7 +1,5 @@
 | test.cpp:6:5:6:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:10:8:10:24 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:22:12:22:20 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:32:12:32:20 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:62:5:62:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:75:8:75:16 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:101:6:101:14 | ... > ... | Unsigned subtraction can never be negative. |
@@ -11,8 +9,6 @@
 | test.cpp:152:7:152:15 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:182:6:182:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:208:6:208:14 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:219:7:219:15 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:226:8:226:16 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:252:10:252:18 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:266:10:266:24 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:276:11:276:19 | ... > ... | Unsigned subtraction can never be negative. |