hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 19:55:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql

Browse Source
This commit is contained in:
ihsinme
2021-01-27 00:10:04 +03:00
committed by GitHub
parent f074564dc1
commit 5d5cd4fde5
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql
View File

@@ -12,6 +12,7 @@
import cpp
import semmle.code.cpp.valuenumbering.HashCons
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
/**
* A call to `strncat` of the form `strncat(buff, str, someExpr - strlen(buf))`, for some expression `someExpr` equal to `sizeof(buff)`.
@@ -22,8 +23,8 @@ class WrongCallStrncat extends FunctionCall {
WrongCallStrncat() {
this.getTarget().hasGlobalOrStdName("strncat") and
// the expression of the first argument in `strncat` and `strnlen` is identical
hashCons(this.getArgument(0)) =
hashCons(this.getArgument(2).(SubExpr).getRightOperand().(StrlenCall).getStringExpr()) and
globalValueNumber(this.getArgument(0)) =
globalValueNumber(this.getArgument(2).(SubExpr).getRightOperand().(StrlenCall).getStringExpr()) and
// using a string constant often speaks of manually calculating the length of the required buffer.
(
not this.getArgument(1) instanceof StringLiteral and