hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Updated query to look for Microsoft-specific '_alloca' and '_malloca' entry points. Added sundry positive and negative test cases.

Browse Source
This commit is contained in:
Ziemowit Laski
2019-03-13 18:43:24 -07:00
parent a547fbea14
commit 586aa0ae41
8 changed files with 398 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
View File

@@ -8,6 +8,7 @@
* correctness
* external/cwe/cwe-770
*/
import cpp
Loop getAnEnclosingLoopOfExpr(Expr e) {
@@ -21,7 +22,15 @@ Loop getAnEnclosingLoopOfStmt(Stmt s) {
}
from Loop l, FunctionCall fc
where getAnEnclosingLoopOfExpr(fc) = l
and fc.getTarget().getName() = "__builtin_alloca"
and not l.(DoStmt).getCondition().getValue() = "0"
select fc, "Stack allocation is inside a $@ and could lead to overflow.", l, l.toString()
where
getAnEnclosingLoopOfExpr(fc) = l and
(
fc.getTarget().getName() = "__builtin_alloca"
or
(
(fc.getTarget().getName() = "_alloca" or fc.getTarget().getName() = "_malloca") and
fc.getTarget().getADeclarationEntry().getFile().getBaseName() = "malloc.h"
)
) and
not l.(DoStmt).getCondition().getValue() = "0"
select fc, "Stack allocation is inside a $@ and could lead to stack overflow.", l, l.toString()