hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Add test cases with false positives due to missing range analysis in 'cpp/overrunning-write'.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2021-11-04 21:13:28 +00:00
parent e9b114630a
commit 693baae1ba
2 changed files with 42 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.expected
View File

@@ -3,3 +3,15 @@
| tests.cpp:272:2:272:8 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
| tests.cpp:273:2:273:8 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
| tests.cpp:308:3:308:9 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
| tests.cpp:315:2:315:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
| tests.cpp:316:2:316:8 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
| tests.cpp:318:3:318:9 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
| tests.cpp:321:2:321:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
| tests.cpp:324:3:324:9 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
| tests.cpp:327:2:327:8 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
| tests.cpp:329:3:329:9 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
| tests.cpp:332:4:332:10 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
| tests.cpp:336:2:336:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
| tests.cpp:337:2:337:8 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
| tests.cpp:338:2:338:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
| tests.cpp:339:2:339:8 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |

30
cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp
View File

@@ -307,4 +307,34 @@ namespace custom_sprintf_impl {
char buffer8[8];
sprintf(buffer8, "12345678"); // BAD: potential buffer overflow
}
}
void test6(unsigned unsigned_value, int value) {
char buffer[2];
sprintf(buffer, "%u", unsigned_value); // BAD: buffer overflow
sprintf(buffer, "%d", unsigned_value); // BAD: buffer overflow
if (unsigned_value < 10) {
sprintf(buffer, "%u", unsigned_value); // GOOD [FALSE POSITIVE]
}
sprintf(buffer, "%u", -10); // BAD: buffer overflow
if(unsigned_value == (unsigned)-10) {
sprintf(buffer, "%u", unsigned_value); // BAD: buffer overflow
}
sprintf(buffer, "%d", value); // BAD: buffer overflow
if (value < 10) {
sprintf(buffer, "%d", value); // BAD: buffer overflow
if(value > 0) {
sprintf(buffer, "%d", value); // GOOD [FALSE POSITIVE]
}
}
sprintf(buffer, "%u", 0); // GOOD [FALSE POSITIVE]
sprintf(buffer, "%d", 0); // GOOD [FALSE POSITIVE]
sprintf(buffer, "%u", 5); // GOOD [FALSE POSITIVE]
sprintf(buffer, "%d", 5); // GOOD [FALSE POSITIVE]
}