hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Add linear expression logic.

Browse Source
This commit is contained in:
Geoffrey White
2021-04-06 18:30:18 +01:00
parent 48ff8e237c
commit 60e4faba4c
3 changed files with 19 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
View File

@@ -14,6 +14,7 @@ import cpp
import semmle.code.cpp.commons.Exclusions
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
import semmle.code.cpp.controlflow.Guards
/**
@@ -46,6 +47,22 @@ predicate exprIsSubLeftOrLess(SubExpr sub, Expr e) {
exprIsSubLeftOrLess(sub, other) and
isGuarded(sub, other, e) // left >= right
)
or
exists(Expr other, float p, float q |
// linear access of `other`
exprIsSubLeftOrLess(sub, other) and
linearAccess(e, other, p, q) and // e = p * other + q
p <= 1 and
q <= 0
)
or
exists(Expr other, float p, float q |
// linear access of `e`
exprIsSubLeftOrLess(sub, other) and
linearAccess(other, e, p, q) and // other = p * e + q
p >= 1 and
q >= 0
)
}
from RelationalOperation ro, SubExpr sub