From 6552c849f0d05d706b1cff7fe5ff21ff0d345f1e Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Wed, 11 Mar 2026 15:42:28 +0000 Subject: [PATCH] C++: Fix BMN issue in cpp/integer-multiplication-cast-to-long. --- cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql | 4 +++- .../Likely Bugs/Arithmetic/IntMultToLong/Buildless.c | 6 +++--- .../Arithmetic/IntMultToLong/IntMultToLong.expected | 3 --- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql b/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql index a54ac9020c8..6747d177c80 100644 --- a/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql +++ b/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql @@ -218,7 +218,9 @@ where // only report if we cannot prove that the result of the // multiplication will be less (resp. greater) than the // maximum (resp. minimum) number we can compute. - overflows(me, t1) + overflows(me, t1) and + // exclude cases where the expression type may not have been extracted accurately + not me.getParent().(Call).getTarget().hasAmbiguousReturnType() select me, "Multiplication result may overflow '" + me.getType().toString() + "' before it is converted to '" + me.getFullyConverted().getType().toString() + "'." diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/Buildless.c b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/Buildless.c index 8f14110a3b9..3d01a28fae0 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/Buildless.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/Buildless.c @@ -6,9 +6,9 @@ void test_float_double1(float f, double d) { double r3 = f * f; // BAD double r4 = f * d; // GOOD - float f1 = fabsf(f * f); // GOOD [FALSE POSITIVE] + float f1 = fabsf(f * f); // GOOD float f2 = fabsf(f * d); // GOOD - double f3 = fabs(f * f); // BAD + double f3 = fabs(f * f); // BAD [NOT DETECTED] double f4 = fabs(f * d); // GOOD } @@ -23,6 +23,6 @@ void test_float_double2(float f, double d) { float f1 = fabsf(f * f); // GOOD float f2 = fabsf(f * d); // GOOD - double f3 = fabs(f * f); // BAD + double f3 = fabs(f * f); // BAD [NOT DETECTED] double f4 = fabs(f * d); // GOOD } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.expected b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.expected index 1a2427beb20..05b2b7e1ea3 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.expected @@ -1,8 +1,5 @@ | Buildless.c:6:17:6:21 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. | -| Buildless.c:9:22:9:26 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. | -| Buildless.c:11:22:11:26 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. | | Buildless.c:21:17:21:21 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. | -| Buildless.c:26:22:26:26 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. | | IntMultToLong.c:4:10:4:14 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'long long'. | | IntMultToLong.c:7:16:7:20 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'long long'. | | IntMultToLong.c:18:19:18:23 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. |