Merge pull request #18615 from MathiasVP/fix-fp-buffer-overflow

C++: Fix FPs in `cpp/overflow-buffer`
2026-04-27 01:35:13 +02:00 · 2025-01-29 12:12:47 +00:00
parent 6e312140ce 48cae7e7ed
commit 4b2c7ef03f
6 changed files with 80 additions and 16 deletions
--- a/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
@@ -54,13 +54,28 @@ private int isSource(Expr bufferExpr, Element why) {
  result = bufferExpr.(AllocationExpr).getSizeBytes() and
  why = bufferExpr
  or
-  exists(Type bufferType |
+  exists(Type bufferType, Variable v |
+    v = why and
    // buffer is the address of a variable
    why = bufferExpr.(AddressOfExpr).getAddressable() and
-    bufferType = why.(Variable).getUnspecifiedType() and
-    result = bufferType.getSize() and
+    bufferType = v.getUnspecifiedType() and
    not bufferType instanceof ReferenceType and
    not any(Union u).getAMemberVariable() = why
+  |
+    not v instanceof Field and
+    result = bufferType.getSize()
+    or
+    // If it's an address of a field (i.e., a non-static member variable)
+    // then it's okay to use that address to access the other member variables.
+    // For example, this is okay:
+    // ```
+    // struct S { uint8_t a, b, c; };
+    // S s;
+    // memset(&s.a, 0, sizeof(S) - offsetof(S, a));
+    exists(Field f |
+      v = f and
+      result = f.getDeclaringType().getSize() - f.getByteOffset()
+    )
  )
  or
  exists(Union bufferType |