C++: Add 'isAdditionalFlowStep' predicates for both configurations in the product dataflow library and use them to fix missing results in the 'cpp/overrun-write' query.

2026-05-05 21:55:19 +02:00 · 2022-09-28 15:02:22 +01:00
parent ccbbb5754e
commit 769ff5c6f3
4 changed files with 94 additions and 17 deletions
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/OverrunWriteProductFlow.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/OverrunWriteProductFlow.expected
@@ -95,3 +95,6 @@ subpaths
 | test.cpp:42:5:42:11 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:42:18:42:23 | Load | This write may overflow $@ by 1 element. | test.cpp:42:18:42:23 | string | string |
 | test.cpp:72:9:72:15 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:72:22:72:27 | Load | This write may overflow $@ by 1 element. | test.cpp:72:22:72:27 | string | string |
 | test.cpp:80:9:80:15 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:80:22:80:27 | Load | This write may overflow $@ by 2 elements. | test.cpp:80:22:80:27 | string | string |
+| test.cpp:99:5:99:11 | call to strncpy | test.cpp:90:19:90:24 | call to malloc | test.cpp:99:18:99:23 | Load | This write may overflow $@ by 1 element. | test.cpp:99:18:99:23 | string | string |
+| test.cpp:129:9:129:15 | call to strncpy | test.cpp:90:19:90:24 | call to malloc | test.cpp:129:22:129:27 | Load | This write may overflow $@ by 1 element. | test.cpp:129:22:129:27 | string | string |
+| test.cpp:137:9:137:15 | call to strncpy | test.cpp:90:19:90:24 | call to malloc | test.cpp:137:22:137:27 | Load | This write may overflow $@ by 2 elements. | test.cpp:137:22:137:27 | string | string |
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/test.cpp
@@ -96,7 +96,7 @@ void test4(unsigned size, char *buf, unsigned anotherSize) {
    string_t *str = mk_string_t_plus_one(size);

    strncpy(str->string, buf, str->size); // GOOD
-    strncpy(str->string, buf, str->size + 1); // BAD [NOT DETECTED]
+    strncpy(str->string, buf, str->size + 1); // BAD

    strncpy(str->string, buf, size); // GOOD
    strncpy(str->string, buf, size + 1); // GOOD
@@ -126,7 +126,7 @@ void test4(unsigned size, char *buf, unsigned anotherSize) {
    }

    if(anotherSize <= str->size + 1) {
-        strncpy(str->string, buf, anotherSize); // BAD [NOT DETECTED]
+        strncpy(str->string, buf, anotherSize); // BAD
    }

    if(anotherSize <= size + 1) {
@@ -134,7 +134,7 @@ void test4(unsigned size, char *buf, unsigned anotherSize) {
    }

    if(anotherSize <= str->size + 2) {
-        strncpy(str->string, buf, anotherSize); // BAD [NOT DETECTED]
+        strncpy(str->string, buf, anotherSize); // BAD
    }

    if(anotherSize <= size + 2) {