Merge pull request #13560 from am0o0/amammad-cpp-bombs

C++: Decompression Bombs
2025-12-17 01:03:14 +01:00 · 2024-09-05 20:01:02 +02:00
parent 013ee34de7 a226bdfbd3
commit 78c6c09912
20 changed files with 948 additions and 0 deletions
--- a/cpp/ql/src/experimental/Security/CWE/CWE-409/Brotli.qll
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-409/Brotli.qll
@@ -0,0 +1,26 @@
+/**
+ * https://github.com/google/brotli
+ */
+
+import cpp
+import DecompressionBomb
+
+/**
+ * The `BrotliDecoderDecompress` function is used in flow sink.
+ * See https://www.brotli.org/decode.html.
+ */
+class BrotliDecoderDecompressFunction extends DecompressionFunction {
+  BrotliDecoderDecompressFunction() { this.hasGlobalName("BrotliDecoderDecompress") }
+
+  override int getArchiveParameterIndex() { result = 1 }
+}
+
+/**
+ * The `BrotliDecoderDecompressStream` function is used in flow sink.
+ * See https://www.brotli.org/decode.html.
+ */
+class BrotliDecoderDecompressStreamFunction extends DecompressionFunction {
+  BrotliDecoderDecompressStreamFunction() { this.hasGlobalName("BrotliDecoderDecompressStream") }
+
+  override int getArchiveParameterIndex() { result = 2 }
+}
--- a/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBomb.qll
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBomb.qll
@@ -0,0 +1,26 @@
+import cpp
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import MiniZip
+import ZlibGzopen
+import ZlibInflator
+import ZlibUncompress
+import LibArchive
+import ZSTD
+import Brotli
+
+/**
+ * The Decompression Sink instances, extend this class to define new decompression sinks.
+ */
+abstract class DecompressionFunction extends Function {
+  abstract int getArchiveParameterIndex();
+}
+
+/**
+ * The Decompression Flow Steps, extend this class to define new decompression sinks.
+ */
+abstract class DecompressionFlowStep extends string {
+  bindingset[this]
+  DecompressionFlowStep() { any() }
+
+  abstract predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2);
+}
--- a/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.qhelp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.qhelp
@@ -0,0 +1,39 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Extracting Compressed files with any compression algorithm like gzip can cause denial of service attacks.</p>
+<p>Attackers can compress a huge file consisting of repeated similiar bytes into a small compressed file.</p>
+</overview>
+<recommendation>
+
+<p>When you want to decompress a user-provided compressed file you must be careful about the decompression ratio or read these files within a loop byte by byte to be able to manage the decompressed size in each cycle of the loop.</p>
+
+</recommendation>
+<example>
+
+<p>
+Reading an uncompressed Gzip file within a loop and check for a threshold size in each cycle.
+</p>
+<sample src="example_good.cpp"/>
+
+<p>
+The following example is unsafe, as we do not check the uncompressed size.
+</p>
+<sample src="example_bad.cpp" />
+
+</example>
+
+<references>
+
+<li>
+<a href="https://zlib.net/manual.html">Zlib documentation</a>
+</li>
+
+<li>
+<a href="https://www.bamsoftware.com/hacks/zipbomb/">An explanation of the attack</a>
+</li>
+
+</references>
+</qhelp>
--- a/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql
@@ -0,0 +1,40 @@
+/**
+ * @name User-controlled file decompression
+ * @description User-controlled data that flows into decompression library APIs without checking the compression rate is dangerous
+ * @kind path-problem
+ * @problem.severity error
+ * @precision low
+ * @id cpp/data-decompression-bomb
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-409
+ */
+
+import cpp
+import semmle.code.cpp.security.FlowSources
+import DecompressionBomb
+
+predicate isSink(FunctionCall fc, DataFlow::Node sink) {
+  exists(DecompressionFunction f | fc.getTarget() = f |
+    fc.getArgument(f.getArchiveParameterIndex()) = [sink.asExpr(), sink.asIndirectExpr()]
+  )
+}
+
+module DecompressionTaintConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof FlowSource }
+
+  predicate isSink(DataFlow::Node sink) { isSink(_, sink) }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(DecompressionFlowStep s).isAdditionalFlowStep(node1, node2)
+  }
+}
+
+module DecompressionTaint = TaintTracking::Global<DecompressionTaintConfig>;
+
+import DecompressionTaint::PathGraph
+
+from DecompressionTaint::PathNode source, DecompressionTaint::PathNode sink, FunctionCall fc
+where DecompressionTaint::flowPath(source, sink) and isSink(fc, sink.getNode())
+select sink.getNode(), source, sink, "The decompression output of $@ is not limited", fc,
+  fc.getTarget().getName()
--- a/cpp/ql/src/experimental/Security/CWE/CWE-409/LibArchive.qll
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-409/LibArchive.qll
@@ -0,0 +1,32 @@
+/**
+ * https://github.com/libarchive/libarchive/wiki
+ */
+
+import cpp
+import DecompressionBomb
+
+/**
+ * The `archive_read_data*` functions are used in flow sink.
+ * See https://github.com/libarchive/libarchive/wiki/Examples.
+ */
+class Archive_read_data_block extends DecompressionFunction {
+  Archive_read_data_block() {
+    this.hasGlobalName(["archive_read_data_block", "archive_read_data", "archive_read_data_into_fd"])
+  }
+
+  override int getArchiveParameterIndex() { result = 0 }
+}
+
+/**
+ * The `archive_read_open_filename` function as a flow step.
+ */
+class ReadOpenFunctionStep extends DecompressionFlowStep {
+  ReadOpenFunctionStep() { this = "ReadOpenFunction" }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(FunctionCall fc | fc.getTarget().hasGlobalName("archive_read_open_filename") |
+      node1.asIndirectExpr() = fc.getArgument(1) and
+      node2.asIndirectExpr() = fc.getArgument(0)
+    )
+  }
+}
--- a/cpp/ql/src/experimental/Security/CWE/CWE-409/MiniZip.qll
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-409/MiniZip.qll
@@ -0,0 +1,56 @@
+/**
+ * https://github.com/zlib-ng/minizip-ng
+ */
+
+import cpp
+import DecompressionBomb
+
+/**
+ * The `mz_zip_entry` function is used in flow sink.
+ * See https://github.com/zlib-ng/minizip-ng/blob/master/doc/mz_zip.md.
+ */
+class Mz_zip_entry extends DecompressionFunction {
+  Mz_zip_entry() { this.hasGlobalName("mz_zip_entry_read") }
+
+  override int getArchiveParameterIndex() { result = 1 }
+}
+
+/**
+ * The `mz_zip_reader_entry_*` and `mz_zip_reader_save_all` functions are used in flow sink.
+ * See https://github.com/zlib-ng/minizip-ng/blob/master/doc/mz_zip_rw.md.
+ */
+class Mz_zip_reader_entry extends DecompressionFunction {
+  Mz_zip_reader_entry() {
+    this.hasGlobalName([
+        "mz_zip_reader_entry_save", "mz_zip_reader_entry_read", "mz_zip_reader_entry_save_process",
+        "mz_zip_reader_entry_save_file", "mz_zip_reader_entry_save_buffer", "mz_zip_reader_save_all"
+      ])
+  }
+
+  override int getArchiveParameterIndex() { result = 0 }
+}
+
+/**
+ * The `UnzOpen*` functions are used in flow sink.
+ */
+class UnzOpenFunction extends DecompressionFunction {
+  UnzOpenFunction() { this.hasGlobalName(["UnzOpen", "unzOpen64", "unzOpen2", "unzOpen2_64"]) }
+
+  override int getArchiveParameterIndex() { result = 0 }
+}
+
+/**
+ * The `mz_zip_reader_open_file` and `mz_zip_reader_open_file_in_memory` functions as a flow step.
+ */
+class ReaderOpenFunctionStep extends DecompressionFlowStep {
+  ReaderOpenFunctionStep() { this = "ReaderOpenFunctionStep" }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(FunctionCall fc |
+      fc.getTarget().hasGlobalName(["mz_zip_reader_open_file_in_memory", "mz_zip_reader_open_file"])
+    |
+      node1.asIndirectExpr() = fc.getArgument(1) and
+      node2.asIndirectExpr() = fc.getArgument(0)
+    )
+  }
+}
--- a/cpp/ql/src/experimental/Security/CWE/CWE-409/ZSTD.qll
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-409/ZSTD.qll
@@ -0,0 +1,88 @@
+/**
+ * https://github.com/facebook/zstd/blob/dev/examples/streaming_decompression.c
+ */
+
+import cpp
+import DecompressionBomb
+
+/**
+ * The `ZSTD_decompress`  function is used in flow sink.
+ */
+class ZstdDecompressFunction extends DecompressionFunction {
+  ZstdDecompressFunction() { this.hasGlobalName("ZSTD_decompress") }
+
+  override int getArchiveParameterIndex() { result = 2 }
+}
+
+/**
+ * The `ZSTD_decompressDCtx` function is used in flow sink.
+ */
+class ZstdDecompressDctxFunction extends DecompressionFunction {
+  ZstdDecompressDctxFunction() { this.hasGlobalName("ZSTD_decompressDCtx") }
+
+  override int getArchiveParameterIndex() { result = 3 }
+}
+
+/**
+ * The `ZSTD_decompressStream` function is used in flow sink.
+ */
+class ZstdDecompressStreamFunction extends DecompressionFunction {
+  ZstdDecompressStreamFunction() { this.hasGlobalName("ZSTD_decompressStream") }
+
+  override int getArchiveParameterIndex() { result = 2 }
+}
+
+/**
+ * The `ZSTD_decompress_usingDDict` function is used in flow sink.
+ */
+class ZstdDecompressUsingDdictFunction extends DecompressionFunction {
+  ZstdDecompressUsingDdictFunction() { this.hasGlobalName("ZSTD_decompress_usingDDict") }
+
+  override int getArchiveParameterIndex() { result = 3 }
+}
+
+/**
+ * The `fopen_orDie` function as a flow step.
+ */
+class FopenOrDieFunctionStep extends DecompressionFlowStep {
+  FopenOrDieFunctionStep() { this = "FopenOrDieFunctionStep" }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(FunctionCall fc | fc.getTarget().hasGlobalName("fopen_orDie") |
+      node1.asIndirectExpr() = fc.getArgument(0) and
+      node2.asExpr() = fc
+    )
+  }
+}
+
+/**
+ * The `fread_orDie` function as a flow step.
+ */
+class FreadOrDieFunctionStep extends DecompressionFlowStep {
+  FreadOrDieFunctionStep() { this = "FreadOrDieFunctionStep" }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(FunctionCall fc | fc.getTarget().hasGlobalName("fread_orDie") |
+      node1.asExpr() = fc.getArgument(2) and
+      node2.asIndirectExpr() = fc.getArgument(0)
+    )
+  }
+}
+
+/**
+ * The `src` member of a `ZSTD_inBuffer` variable is used in a flow steps.
+ */
+class SrcMember extends DecompressionFlowStep {
+  SrcMember() { this = "SrcMember" }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(VariableAccess inBufferAccess, Field srcField, ClassAggregateLiteral c |
+      inBufferAccess.getType().hasName("ZSTD_inBuffer") and
+      srcField.hasName("src")
+    |
+      node2.asExpr() = inBufferAccess and
+      inBufferAccess.getTarget().getInitializer().getExpr() = c and
+      node1.asIndirectExpr() = c.getFieldExpr(srcField, _)
+    )
+  }
+}
--- a/cpp/ql/src/experimental/Security/CWE/CWE-409/ZlibGzopen.qll
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-409/ZlibGzopen.qll
@@ -0,0 +1,71 @@
+/**
+ * https://www.zlib.net/
+ */
+
+import cpp
+import DecompressionBomb
+
+/**
+ * The `gzfread` function is used in flow sink.
+ *
+ * `gzfread(voidp buf, z_size_t size, z_size_t nitems, gzFile file)`
+ */
+class GzFreadFunction extends DecompressionFunction {
+  GzFreadFunction() { this.hasGlobalName("gzfread") }
+
+  override int getArchiveParameterIndex() { result = 3 }
+}
+
+/**
+ * The `gzgets` function is used in flow sink.
+ *
+ * `gzgets(gzFile file, char *buf, int len)`
+ */
+class GzGetsFunction extends DecompressionFunction {
+  GzGetsFunction() { this.hasGlobalName("gzgets") }
+
+  override int getArchiveParameterIndex() { result = 0 }
+}
+
+/**
+ * The `gzread` function is used in flow sink.
+ *
+ * `gzread(gzFile file, voidp buf, unsigned len)`
+ */
+class GzReadFunction extends DecompressionFunction {
+  GzReadFunction() { this.hasGlobalName("gzread") }
+
+  override int getArchiveParameterIndex() { result = 0 }
+}
+
+/**
+ * The `gzdopen` function is used in flow steps.
+ *
+ * `gzdopen(int fd, const char *mode)`
+ */
+class GzdopenFunctionStep extends DecompressionFlowStep {
+  GzdopenFunctionStep() { this = "GzdopenFunctionStep" }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(FunctionCall fc | fc.getTarget().hasGlobalName("gzdopen") |
+      node1.asExpr() = fc.getArgument(0) and
+      node2.asExpr() = fc
+    )
+  }
+}
+
+/**
+ * The `gzopen` function is used in flow steps.
+ *
+ * `gzopen(const char *path, const char *mode)`
+ */
+class GzopenFunctionStep extends DecompressionFlowStep {
+  GzopenFunctionStep() { this = "GzopenFunctionStep" }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(FunctionCall fc | fc.getTarget().hasGlobalName("gzopen") |
+      node1.asIndirectExpr() = fc.getArgument(0) and
+      node2.asExpr() = fc
+    )
+  }
+}
--- a/cpp/ql/src/experimental/Security/CWE/CWE-409/ZlibInflator.qll
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-409/ZlibInflator.qll
@@ -0,0 +1,37 @@
+/**
+ * https://www.zlib.net/
+ */
+
+import cpp
+import DecompressionBomb
+
+/**
+ * The `inflate` and `inflateSync` functions are used in flow sink.
+ *
+ * `inflate(z_stream strm, int flush)`
+ *
+ * `inflateSync(z_stream strm)`
+ */
+class InflateFunction extends DecompressionFunction {
+  InflateFunction() { this.hasGlobalName(["inflate", "inflateSync"]) }
+
+  override int getArchiveParameterIndex() { result = 0 }
+}
+
+/**
+ * The `next_in` member of a `z_stream` variable is used in a flow steps.
+ */
+class NextInMemberStep extends DecompressionFlowStep {
+  NextInMemberStep() { this = "NextInMemberStep" }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(Variable nextInVar |
+      nextInVar.getDeclaringType().hasName("z_stream") and
+      nextInVar.hasName("next_in")
+    |
+      node1.asIndirectExpr() = nextInVar.getAnAssignedValue() and
+      node2.asExpr() =
+        nextInVar.getAnAccess().getQualifier().(VariableAccess).getTarget().getAnAccess()
+    )
+  }
+}
--- a/cpp/ql/src/experimental/Security/CWE/CWE-409/ZlibUncompress.qll
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-409/ZlibUncompress.qll
@@ -0,0 +1,15 @@
+/**
+ * https://www.zlib.net/
+ */
+
+import cpp
+import DecompressionBomb
+
+/**
+ * The `uncompress`/`uncompress2` function is used in flow sink.
+ */
+class UncompressFunction extends DecompressionFunction {
+  UncompressFunction() { this.hasGlobalName(["uncompress", "uncompress2"]) }
+
+  override int getArchiveParameterIndex() { result = 2 }
+}
--- a/cpp/ql/src/experimental/Security/CWE/CWE-409/example_bad.cpp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-409/example_bad.cpp
@@ -0,0 +1,15 @@
+#include "zlib.h"
+
+void UnsafeGzread(gzFile inFileZ) {
+    const int BUFFER_SIZE = 8192;
+    unsigned char unzipBuffer[BUFFER_SIZE];
+    unsigned int unzippedBytes;
+    while (true) {
+        unzippedBytes = gzread(inFileZ, unzipBuffer, BUFFER_SIZE);
+        if (unzippedBytes <= 0) {
+            break;
+        }
+
+        // process buffer
+    }
+}
--- a/cpp/ql/src/experimental/Security/CWE/CWE-409/example_good.cpp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-409/example_good.cpp
@@ -0,0 +1,23 @@
+#include "zlib.h"
+
+void SafeGzread(gzFile inFileZ) {
+    const int MAX_READ = 1024 * 1024 * 4;
+    const int BUFFER_SIZE = 8192;
+    unsigned char unzipBuffer[BUFFER_SIZE];
+    unsigned int unzippedBytes;
+    unsigned int totalRead = 0;
+    while (true) {
+        unzippedBytes = gzread(inFileZ, unzipBuffer, BUFFER_SIZE);
+        totalRead += unzippedBytes;
+        if (unzippedBytes <= 0) {
+            break;
+        }
+
+        if (totalRead > MAX_READ) {
+            // Possible decompression bomb, stop processing.
+            break;
+        } else {
+            // process buffer
+        }
+    }
+}
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.expected
@@ -0,0 +1,239 @@
+edges
+| brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:15:41:15:44 | **argv | provenance |  |
+| brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:18:35:18:53 | *access to array | provenance |  |
+| brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:21:30:21:52 | *access to array | provenance |  |
+| brotliTest.cpp:21:30:21:52 | *access to array | brotliTest.cpp:24:51:24:58 | **& ... | provenance |  |
+| libarchiveTests.cpp:16:31:16:32 | *ar | libarchiveTests.cpp:16:31:16:32 | *ar | provenance |  |
+| libarchiveTests.cpp:16:31:16:32 | *ar | libarchiveTests.cpp:22:41:22:42 | *ar | provenance |  |
+| libarchiveTests.cpp:30:45:30:48 | **argv | libarchiveTests.cpp:30:45:30:48 | **argv | provenance |  |
+| libarchiveTests.cpp:30:45:30:48 | **argv | libarchiveTests.cpp:34:35:34:41 | *access to array | provenance |  |
+| libarchiveTests.cpp:34:32:34:32 | *a | libarchiveTests.cpp:38:27:38:27 | *a | provenance |  |
+| libarchiveTests.cpp:34:35:34:41 | *access to array | libarchiveTests.cpp:34:32:34:32 | *a | provenance | Config |
+| libarchiveTests.cpp:38:27:38:27 | *a | libarchiveTests.cpp:16:31:16:32 | *ar | provenance |  |
+| libarchiveTests.cpp:38:27:38:27 | *a | libarchiveTests.cpp:38:27:38:27 | read_data output argument | provenance |  |
+| libarchiveTests.cpp:38:27:38:27 | read_data output argument | libarchiveTests.cpp:38:27:38:27 | *a | provenance |  |
+| main.cpp:7:33:7:36 | **argv | main.cpp:8:23:8:26 | **argv | provenance |  |
+| main.cpp:7:33:7:36 | **argv | main.cpp:9:27:9:30 | **argv | provenance |  |
+| main.cpp:7:33:7:36 | **argv | main.cpp:10:24:10:27 | **argv | provenance |  |
+| main.cpp:7:33:7:36 | **argv | main.cpp:11:21:11:24 | **argv | provenance |  |
+| main.cpp:7:33:7:36 | **argv | main.cpp:12:21:12:24 | **argv | provenance |  |
+| main.cpp:8:23:8:26 | **argv | brotliTest.cpp:15:41:15:44 | **argv | provenance |  |
+| main.cpp:8:23:8:26 | **argv | main.cpp:8:23:8:26 | brotli_test output argument | provenance |  |
+| main.cpp:8:23:8:26 | brotli_test output argument | main.cpp:9:27:9:30 | **argv | provenance |  |
+| main.cpp:8:23:8:26 | brotli_test output argument | main.cpp:10:24:10:27 | **argv | provenance |  |
+| main.cpp:8:23:8:26 | brotli_test output argument | main.cpp:11:21:11:24 | **argv | provenance |  |
+| main.cpp:8:23:8:26 | brotli_test output argument | main.cpp:12:21:12:24 | **argv | provenance |  |
+| main.cpp:9:27:9:30 | **argv | libarchiveTests.cpp:30:45:30:48 | **argv | provenance |  |
+| main.cpp:9:27:9:30 | **argv | main.cpp:9:27:9:30 | libarchive_test output argument | provenance |  |
+| main.cpp:9:27:9:30 | libarchive_test output argument | main.cpp:10:24:10:27 | **argv | provenance |  |
+| main.cpp:9:27:9:30 | libarchive_test output argument | main.cpp:11:21:11:24 | **argv | provenance |  |
+| main.cpp:9:27:9:30 | libarchive_test output argument | main.cpp:12:21:12:24 | **argv | provenance |  |
+| main.cpp:10:24:10:27 | **argv | main.cpp:10:24:10:27 | minizip_test output argument | provenance |  |
+| main.cpp:10:24:10:27 | **argv | minizipTest.cpp:12:42:12:45 | **argv | provenance |  |
+| main.cpp:10:24:10:27 | minizip_test output argument | main.cpp:11:21:11:24 | **argv | provenance |  |
+| main.cpp:10:24:10:27 | minizip_test output argument | main.cpp:12:21:12:24 | **argv | provenance |  |
+| main.cpp:11:21:11:24 | **argv | main.cpp:11:21:11:24 | zlib_test output argument | provenance |  |
+| main.cpp:11:21:11:24 | **argv | main.cpp:11:21:11:24 | zlib_test output argument | provenance |  |
+| main.cpp:11:21:11:24 | **argv | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
+| main.cpp:11:21:11:24 | zlib_test output argument | main.cpp:12:21:12:24 | **argv | provenance |  |
+| main.cpp:11:21:11:24 | zlib_test output argument | main.cpp:12:21:12:24 | *argv | provenance |  |
+| main.cpp:12:21:12:24 | **argv | zstdTest.cpp:26:39:26:42 | **argv | provenance |  |
+| main.cpp:12:21:12:24 | *argv | zstdTest.cpp:26:39:26:42 | **argv | provenance |  |
+| main.cpp:12:21:12:24 | *argv | zstdTest.cpp:26:39:26:42 | *argv | provenance |  |
+| minizipTest.cpp:12:42:12:45 | **argv | minizipTest.cpp:12:42:12:45 | **argv | provenance |  |
+| minizipTest.cpp:12:42:12:45 | **argv | minizipTest.cpp:17:52:17:67 | *access to array | provenance |  |
+| minizipTest.cpp:12:42:12:45 | **argv | minizipTest.cpp:24:41:24:47 | *access to array | provenance |  |
+| minizipTest.cpp:12:42:12:45 | **argv | minizipTest.cpp:28:13:28:19 | *access to array | provenance |  |
+| minizipTest.cpp:24:29:24:38 | **zip_reader | minizipTest.cpp:26:30:26:39 | **zip_reader | provenance |  |
+| minizipTest.cpp:24:29:24:38 | *zip_reader | minizipTest.cpp:26:30:26:39 | *zip_reader | provenance |  |
+| minizipTest.cpp:24:41:24:47 | *access to array | minizipTest.cpp:24:29:24:38 | **zip_reader | provenance | Config |
+| minizipTest.cpp:24:41:24:47 | *access to array | minizipTest.cpp:24:29:24:38 | *zip_reader | provenance | Config |
+| zlibTest.cpp:16:26:16:30 | *input | zlibTest.cpp:20:25:20:39 | *input | provenance |  |
+| zlibTest.cpp:20:25:20:39 | *input | zlibTest.cpp:16:26:16:30 | *input | provenance |  |
+| zlibTest.cpp:20:25:20:39 | *input | zlibTest.cpp:24:17:24:26 | & ... | provenance | Config |
+| zlibTest.cpp:20:25:20:39 | *input | zlibTest.cpp:25:13:25:22 | & ... | provenance | Config |
+| zlibTest.cpp:24:17:24:26 | & ... | zlibTest.cpp:25:13:25:22 | & ... | provenance |  |
+| zlibTest.cpp:37:25:37:32 | *fileName | zlibTest.cpp:38:29:38:36 | *fileName | provenance |  |
+| zlibTest.cpp:38:22:38:27 | call to gzopen | zlibTest.cpp:38:22:38:27 | call to gzopen | provenance |  |
+| zlibTest.cpp:38:22:38:27 | call to gzopen | zlibTest.cpp:41:20:41:26 | inFileZ | provenance |  |
+| zlibTest.cpp:38:29:38:36 | *fileName | zlibTest.cpp:37:25:37:32 | *fileName | provenance |  |
+| zlibTest.cpp:38:29:38:36 | *fileName | zlibTest.cpp:38:22:38:27 | call to gzopen | provenance | Config |
+| zlibTest.cpp:47:26:47:33 | *fileName | zlibTest.cpp:48:29:48:36 | *fileName | provenance |  |
+| zlibTest.cpp:48:22:48:27 | call to gzopen | zlibTest.cpp:48:22:48:27 | call to gzopen | provenance |  |
+| zlibTest.cpp:48:22:48:27 | call to gzopen | zlibTest.cpp:51:38:51:44 | inFileZ | provenance |  |
+| zlibTest.cpp:48:29:48:36 | *fileName | zlibTest.cpp:47:26:47:33 | *fileName | provenance |  |
+| zlibTest.cpp:48:29:48:36 | *fileName | zlibTest.cpp:48:22:48:27 | call to gzopen | provenance | Config |
+| zlibTest.cpp:57:25:57:32 | *fileName | zlibTest.cpp:58:29:58:36 | *fileName | provenance |  |
+| zlibTest.cpp:58:22:58:27 | call to gzopen | zlibTest.cpp:58:22:58:27 | call to gzopen | provenance |  |
+| zlibTest.cpp:58:22:58:27 | call to gzopen | zlibTest.cpp:62:25:62:31 | inFileZ | provenance |  |
+| zlibTest.cpp:58:29:58:36 | *fileName | zlibTest.cpp:57:25:57:32 | *fileName | provenance |  |
+| zlibTest.cpp:58:29:58:36 | *fileName | zlibTest.cpp:58:22:58:27 | call to gzopen | provenance | Config |
+| zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:71:26:71:30 | *input | provenance |  |
+| zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:77:45:77:59 | *input | provenance |  |
+| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
+| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:81:19:81:25 | *access to array | provenance |  |
+| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:82:18:82:24 | *access to array | provenance |  |
+| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:83:19:83:25 | *access to array | provenance |  |
+| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:84:18:84:24 | *access to array | provenance |  |
+| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:85:19:85:25 | *access to array | provenance |  |
+| zlibTest.cpp:81:19:81:25 | *access to array | zlibTest.cpp:47:26:47:33 | *fileName | provenance |  |
+| zlibTest.cpp:81:19:81:25 | *access to array | zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | provenance |  |
+| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
+| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:80:33:80:36 | **argv [Return] | provenance |  |
+| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:82:18:82:24 | *access to array | provenance |  |
+| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:83:19:83:25 | *access to array | provenance |  |
+| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:84:18:84:24 | *access to array | provenance |  |
+| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:85:19:85:25 | *access to array | provenance |  |
+| zlibTest.cpp:82:18:82:24 | *access to array | zlibTest.cpp:57:25:57:32 | *fileName | provenance |  |
+| zlibTest.cpp:82:18:82:24 | *access to array | zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | provenance |  |
+| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
+| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | zlibTest.cpp:80:33:80:36 | **argv [Return] | provenance |  |
+| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | zlibTest.cpp:83:19:83:25 | *access to array | provenance |  |
+| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | zlibTest.cpp:84:18:84:24 | *access to array | provenance |  |
+| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | zlibTest.cpp:85:19:85:25 | *access to array | provenance |  |
+| zlibTest.cpp:83:19:83:25 | *access to array | zlibTest.cpp:16:26:16:30 | *input | provenance |  |
+| zlibTest.cpp:83:19:83:25 | *access to array | zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | provenance |  |
+| zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
+| zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | zlibTest.cpp:80:33:80:36 | **argv [Return] | provenance |  |
+| zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | zlibTest.cpp:84:18:84:24 | *access to array | provenance |  |
+| zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | zlibTest.cpp:85:19:85:25 | *access to array | provenance |  |
+| zlibTest.cpp:84:18:84:24 | *access to array | zlibTest.cpp:37:25:37:32 | *fileName | provenance |  |
+| zlibTest.cpp:84:18:84:24 | *access to array | zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | provenance |  |
+| zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
+| zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | zlibTest.cpp:80:33:80:36 | **argv [Return] | provenance |  |
+| zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | zlibTest.cpp:85:19:85:25 | *access to array | provenance |  |
+| zlibTest.cpp:85:19:85:25 | *access to array | zlibTest.cpp:71:26:71:30 | *input | provenance |  |
+| zlibTest.cpp:85:19:85:25 | *access to array | zlibTest.cpp:85:19:85:25 | InflateString output argument | provenance |  |
+| zlibTest.cpp:85:19:85:25 | InflateString output argument | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
+| zlibTest.cpp:85:19:85:25 | InflateString output argument | zlibTest.cpp:80:33:80:36 | **argv [Return] | provenance |  |
+| zstdTest.cpp:26:39:26:42 | **argv | zstdTest.cpp:27:35:27:41 | *access to array | provenance |  |
+| zstdTest.cpp:26:39:26:42 | *argv | zstdTest.cpp:27:35:27:41 | *access to array | provenance |  |
+| zstdTest.cpp:27:23:27:33 | call to fopen_orDie | zstdTest.cpp:27:23:27:33 | call to fopen_orDie | provenance |  |
+| zstdTest.cpp:27:23:27:33 | call to fopen_orDie | zstdTest.cpp:35:52:35:54 | fin | provenance |  |
+| zstdTest.cpp:27:35:27:41 | *access to array | zstdTest.cpp:27:23:27:33 | call to fopen_orDie | provenance | Config |
+| zstdTest.cpp:35:32:35:37 | **buffIn | zstdTest.cpp:36:32:36:37 | **buffIn | provenance |  |
+| zstdTest.cpp:35:32:35:37 | *buffIn | zstdTest.cpp:36:32:36:37 | *buffIn | provenance |  |
+| zstdTest.cpp:35:52:35:54 | fin | zstdTest.cpp:35:32:35:37 | **buffIn | provenance | Config |
+| zstdTest.cpp:35:52:35:54 | fin | zstdTest.cpp:35:32:35:37 | *buffIn | provenance | Config |
+| zstdTest.cpp:36:32:36:37 | **buffIn | zstdTest.cpp:35:32:35:37 | **buffIn | provenance |  |
+| zstdTest.cpp:36:32:36:37 | **buffIn | zstdTest.cpp:39:69:39:74 | & ... | provenance | Config |
+| zstdTest.cpp:36:32:36:37 | **buffIn | zstdTest.cpp:39:69:39:74 | & ... | provenance | Config |
+| zstdTest.cpp:36:32:36:37 | *buffIn | zstdTest.cpp:35:32:35:37 | *buffIn | provenance |  |
+| zstdTest.cpp:36:32:36:37 | *buffIn | zstdTest.cpp:39:69:39:74 | & ... | provenance | Config |
+| zstdTest.cpp:36:32:36:37 | *buffIn | zstdTest.cpp:39:69:39:74 | & ... | provenance | Config |
+| zstdTest.cpp:39:69:39:74 | & ... | zstdTest.cpp:39:69:39:74 | & ... | provenance |  |
+| zstdTest.cpp:39:69:39:74 | & ... | zstdTest.cpp:39:69:39:74 | & ... | provenance |  |
+nodes
+| brotliTest.cpp:15:41:15:44 | **argv | semmle.label | **argv |
+| brotliTest.cpp:15:41:15:44 | **argv | semmle.label | **argv |
+| brotliTest.cpp:18:35:18:53 | *access to array | semmle.label | *access to array |
+| brotliTest.cpp:21:30:21:52 | *access to array | semmle.label | *access to array |
+| brotliTest.cpp:24:51:24:58 | **& ... | semmle.label | **& ... |
+| libarchiveTests.cpp:16:31:16:32 | *ar | semmle.label | *ar |
+| libarchiveTests.cpp:16:31:16:32 | *ar | semmle.label | *ar |
+| libarchiveTests.cpp:22:41:22:42 | *ar | semmle.label | *ar |
+| libarchiveTests.cpp:30:45:30:48 | **argv | semmle.label | **argv |
+| libarchiveTests.cpp:30:45:30:48 | **argv | semmle.label | **argv |
+| libarchiveTests.cpp:34:32:34:32 | *a | semmle.label | *a |
+| libarchiveTests.cpp:34:35:34:41 | *access to array | semmle.label | *access to array |
+| libarchiveTests.cpp:38:27:38:27 | *a | semmle.label | *a |
+| libarchiveTests.cpp:38:27:38:27 | read_data output argument | semmle.label | read_data output argument |
+| main.cpp:7:33:7:36 | **argv | semmle.label | **argv |
+| main.cpp:8:23:8:26 | **argv | semmle.label | **argv |
+| main.cpp:8:23:8:26 | brotli_test output argument | semmle.label | brotli_test output argument |
+| main.cpp:9:27:9:30 | **argv | semmle.label | **argv |
+| main.cpp:9:27:9:30 | libarchive_test output argument | semmle.label | libarchive_test output argument |
+| main.cpp:10:24:10:27 | **argv | semmle.label | **argv |
+| main.cpp:10:24:10:27 | minizip_test output argument | semmle.label | minizip_test output argument |
+| main.cpp:11:21:11:24 | **argv | semmle.label | **argv |
+| main.cpp:11:21:11:24 | zlib_test output argument | semmle.label | zlib_test output argument |
+| main.cpp:11:21:11:24 | zlib_test output argument | semmle.label | zlib_test output argument |
+| main.cpp:12:21:12:24 | **argv | semmle.label | **argv |
+| main.cpp:12:21:12:24 | *argv | semmle.label | *argv |
+| minizipTest.cpp:12:42:12:45 | **argv | semmle.label | **argv |
+| minizipTest.cpp:12:42:12:45 | **argv | semmle.label | **argv |
+| minizipTest.cpp:17:52:17:67 | *access to array | semmle.label | *access to array |
+| minizipTest.cpp:24:29:24:38 | **zip_reader | semmle.label | **zip_reader |
+| minizipTest.cpp:24:29:24:38 | *zip_reader | semmle.label | *zip_reader |
+| minizipTest.cpp:24:41:24:47 | *access to array | semmle.label | *access to array |
+| minizipTest.cpp:26:30:26:39 | **zip_reader | semmle.label | **zip_reader |
+| minizipTest.cpp:26:30:26:39 | *zip_reader | semmle.label | *zip_reader |
+| minizipTest.cpp:28:13:28:19 | *access to array | semmle.label | *access to array |
+| zlibTest.cpp:16:26:16:30 | *input | semmle.label | *input |
+| zlibTest.cpp:16:26:16:30 | *input | semmle.label | *input |
+| zlibTest.cpp:20:25:20:39 | *input | semmle.label | *input |
+| zlibTest.cpp:24:17:24:26 | & ... | semmle.label | & ... |
+| zlibTest.cpp:25:13:25:22 | & ... | semmle.label | & ... |
+| zlibTest.cpp:37:25:37:32 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:37:25:37:32 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:38:22:38:27 | call to gzopen | semmle.label | call to gzopen |
+| zlibTest.cpp:38:22:38:27 | call to gzopen | semmle.label | call to gzopen |
+| zlibTest.cpp:38:29:38:36 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:41:20:41:26 | inFileZ | semmle.label | inFileZ |
+| zlibTest.cpp:47:26:47:33 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:47:26:47:33 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:48:22:48:27 | call to gzopen | semmle.label | call to gzopen |
+| zlibTest.cpp:48:22:48:27 | call to gzopen | semmle.label | call to gzopen |
+| zlibTest.cpp:48:29:48:36 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:51:38:51:44 | inFileZ | semmle.label | inFileZ |
+| zlibTest.cpp:57:25:57:32 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:57:25:57:32 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:58:22:58:27 | call to gzopen | semmle.label | call to gzopen |
+| zlibTest.cpp:58:22:58:27 | call to gzopen | semmle.label | call to gzopen |
+| zlibTest.cpp:58:29:58:36 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:62:25:62:31 | inFileZ | semmle.label | inFileZ |
+| zlibTest.cpp:71:26:71:30 | *input | semmle.label | *input |
+| zlibTest.cpp:71:26:71:30 | *input | semmle.label | *input |
+| zlibTest.cpp:77:45:77:59 | *input | semmle.label | *input |
+| zlibTest.cpp:80:33:80:36 | **argv | semmle.label | **argv |
+| zlibTest.cpp:80:33:80:36 | **argv | semmle.label | **argv |
+| zlibTest.cpp:80:33:80:36 | **argv [Return] | semmle.label | **argv [Return] |
+| zlibTest.cpp:81:19:81:25 | *access to array | semmle.label | *access to array |
+| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | semmle.label | UnsafeGzfread output argument |
+| zlibTest.cpp:82:18:82:24 | *access to array | semmle.label | *access to array |
+| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | semmle.label | UnsafeGzgets output argument |
+| zlibTest.cpp:83:19:83:25 | *access to array | semmle.label | *access to array |
+| zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | semmle.label | UnsafeInflate output argument |
+| zlibTest.cpp:84:18:84:24 | *access to array | semmle.label | *access to array |
+| zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | semmle.label | UnsafeGzread output argument |
+| zlibTest.cpp:85:19:85:25 | *access to array | semmle.label | *access to array |
+| zlibTest.cpp:85:19:85:25 | InflateString output argument | semmle.label | InflateString output argument |
+| zstdTest.cpp:26:39:26:42 | **argv | semmle.label | **argv |
+| zstdTest.cpp:26:39:26:42 | *argv | semmle.label | *argv |
+| zstdTest.cpp:27:23:27:33 | call to fopen_orDie | semmle.label | call to fopen_orDie |
+| zstdTest.cpp:27:23:27:33 | call to fopen_orDie | semmle.label | call to fopen_orDie |
+| zstdTest.cpp:27:35:27:41 | *access to array | semmle.label | *access to array |
+| zstdTest.cpp:35:32:35:37 | **buffIn | semmle.label | **buffIn |
+| zstdTest.cpp:35:32:35:37 | *buffIn | semmle.label | *buffIn |
+| zstdTest.cpp:35:52:35:54 | fin | semmle.label | fin |
+| zstdTest.cpp:36:32:36:37 | **buffIn | semmle.label | **buffIn |
+| zstdTest.cpp:36:32:36:37 | *buffIn | semmle.label | *buffIn |
+| zstdTest.cpp:39:69:39:74 | & ... | semmle.label | & ... |
+| zstdTest.cpp:39:69:39:74 | & ... | semmle.label | & ... |
+subpaths
+| libarchiveTests.cpp:38:27:38:27 | *a | libarchiveTests.cpp:16:31:16:32 | *ar | libarchiveTests.cpp:16:31:16:32 | *ar | libarchiveTests.cpp:38:27:38:27 | read_data output argument |
+| main.cpp:8:23:8:26 | **argv | brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:15:41:15:44 | **argv | main.cpp:8:23:8:26 | brotli_test output argument |
+| main.cpp:9:27:9:30 | **argv | libarchiveTests.cpp:30:45:30:48 | **argv | libarchiveTests.cpp:30:45:30:48 | **argv | main.cpp:9:27:9:30 | libarchive_test output argument |
+| main.cpp:10:24:10:27 | **argv | minizipTest.cpp:12:42:12:45 | **argv | minizipTest.cpp:12:42:12:45 | **argv | main.cpp:10:24:10:27 | minizip_test output argument |
+| main.cpp:11:21:11:24 | **argv | zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:80:33:80:36 | **argv | main.cpp:11:21:11:24 | zlib_test output argument |
+| main.cpp:11:21:11:24 | **argv | zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:80:33:80:36 | **argv [Return] | main.cpp:11:21:11:24 | zlib_test output argument |
+| main.cpp:11:21:11:24 | **argv | zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:80:33:80:36 | **argv [Return] | main.cpp:11:21:11:24 | zlib_test output argument |
+| zlibTest.cpp:81:19:81:25 | *access to array | zlibTest.cpp:47:26:47:33 | *fileName | zlibTest.cpp:47:26:47:33 | *fileName | zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument |
+| zlibTest.cpp:82:18:82:24 | *access to array | zlibTest.cpp:57:25:57:32 | *fileName | zlibTest.cpp:57:25:57:32 | *fileName | zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument |
+| zlibTest.cpp:83:19:83:25 | *access to array | zlibTest.cpp:16:26:16:30 | *input | zlibTest.cpp:16:26:16:30 | *input | zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument |
+| zlibTest.cpp:84:18:84:24 | *access to array | zlibTest.cpp:37:25:37:32 | *fileName | zlibTest.cpp:37:25:37:32 | *fileName | zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument |
+| zlibTest.cpp:85:19:85:25 | *access to array | zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:85:19:85:25 | InflateString output argument |
+#select
+| brotliTest.cpp:18:35:18:53 | *access to array | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:18:35:18:53 | *access to array | The decompression output of $@ is not limited | brotliTest.cpp:18:5:18:27 | call to BrotliDecoderDecompress | BrotliDecoderDecompress |
+| brotliTest.cpp:24:51:24:58 | **& ... | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:24:51:24:58 | **& ... | The decompression output of $@ is not limited | brotliTest.cpp:24:5:24:33 | call to BrotliDecoderDecompressStream | BrotliDecoderDecompressStream |
+| libarchiveTests.cpp:22:41:22:42 | *ar | main.cpp:7:33:7:36 | **argv | libarchiveTests.cpp:22:41:22:42 | *ar | The decompression output of $@ is not limited | libarchiveTests.cpp:22:17:22:39 | call to archive_read_data_block | archive_read_data_block |
+| minizipTest.cpp:17:52:17:67 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:17:52:17:67 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:17:22:17:38 | call to mz_zip_entry_read | mz_zip_entry_read |
+| minizipTest.cpp:26:30:26:39 | **zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | **zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save |
+| minizipTest.cpp:26:30:26:39 | *zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | *zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save |
+| minizipTest.cpp:28:13:28:19 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:28:13:28:19 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:28:5:28:11 | call to UnzOpen | UnzOpen |
+| zlibTest.cpp:25:13:25:22 | & ... | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:25:13:25:22 | & ... | The decompression output of $@ is not limited | zlibTest.cpp:25:5:25:11 | call to inflate | inflate |
+| zlibTest.cpp:41:20:41:26 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:41:20:41:26 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:41:13:41:18 | call to gzread | gzread |
+| zlibTest.cpp:51:38:51:44 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:51:38:51:44 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:51:14:51:20 | call to gzfread | gzfread |
+| zlibTest.cpp:62:25:62:31 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:62:25:62:31 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:62:18:62:23 | call to gzgets | gzgets |
+| zlibTest.cpp:77:45:77:59 | *input | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:77:45:77:59 | *input | The decompression output of $@ is not limited | zlibTest.cpp:77:5:77:14 | call to uncompress | uncompress |
+| zstdTest.cpp:39:69:39:74 | & ... | main.cpp:7:33:7:36 | **argv | zstdTest.cpp:39:69:39:74 | & ... | The decompression output of $@ is not limited | zstdTest.cpp:39:32:39:52 | call to ZSTD_decompressStream | ZSTD_decompressStream |
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.qlref
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-409/DecompressionBombs.ql
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/brotliTest.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/brotliTest.cpp
@@ -0,0 +1,26 @@
+typedef long unsigned int size_t;
+typedef unsigned char uint8_t;
+
+enum BrotliDecoderResult {};
+struct BrotliDecoderState;
+
+BrotliDecoderResult BrotliDecoderDecompress(
+        size_t encoded_size, const uint8_t encoded_buffer[],
+        size_t *decoded_size, uint8_t decoded_buffer[]);
+
+BrotliDecoderResult BrotliDecoderDecompressStream(
+        BrotliDecoderState *state, size_t *available_in, const uint8_t **next_in,
+        size_t *available_out, uint8_t **next_out, size_t *total_out);
+
+void brotli_test(int argc, const char **argv) {
+    uint8_t output[1024];
+    size_t output_size = sizeof(output);
+    BrotliDecoderDecompress(1024, (uint8_t *) argv[2], &output_size, output); // BAD
+
+    size_t input_size = 1024;
+    const uint8_t *input_p = (const uint8_t*)argv[2];
+    uint8_t *output_p = output;
+    size_t out_size;
+    BrotliDecoderDecompressStream(0, &input_size, &input_p, &output_size, // BAD
+                                  &output_p, &out_size);
+}
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/libarchiveTests.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/libarchiveTests.cpp
@@ -0,0 +1,42 @@
+#define    ARCHIVE_EOF     1
+#define    ARCHIVE_OK      0
+#define    ARCHIVE_WARN    (-20)
+
+struct archive;
+struct archive_entry;
+typedef int size_t;
+typedef int la_int64_t;
+
+archive *archive_read_new();
+int archive_read_open_filename(archive *pArchive, const char *filename, int i);
+int archive_read_next_header(archive *a, archive_entry **entry);
+int archive_entry_size(archive_entry *pEntry);
+int archive_read_data_block(archive *pArchive, const void **pVoid, size_t *pInt, la_int64_t *pInt1);
+
+static int read_data(archive *ar) {
+    for (;;) {
+        const void *buff;
+        size_t size;
+        la_int64_t offset;
+
+        int r = archive_read_data_block(ar, &buff, &size, &offset); // BAD
+        if (r == ARCHIVE_EOF)
+            return ARCHIVE_OK;
+        if (r < ARCHIVE_OK)
+            return r;
+    }
+}
+
+void libarchive_test(int argc, const char **argv) {
+    archive *a = archive_read_new();
+    archive_entry *entry;
+
+    archive_read_open_filename(a, argv[1], 10240);
+    for (;;) {
+        archive_read_next_header(a, &entry);
+        if (archive_entry_size(entry) > 0) {
+            if (read_data(a) < ARCHIVE_WARN)
+                break;
+        }
+    }
+}
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/main.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/main.cpp
@@ -0,0 +1,14 @@
+void brotli_test(int argc, const char **argv);
+void libarchive_test(int argc, const char **argv);
+void minizip_test(int argc, const char **argv);
+void zlib_test(int argc, const char **argv);
+void zstd_test(int argc, const char **argv);
+
+int main(int argc, const char **argv) {
+    brotli_test(argc, argv);
+    libarchive_test(argc, argv);
+    minizip_test(argc, argv);
+    zlib_test(argc, argv);
+    zstd_test(argc, argv);
+    return 0;
+}
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/minizipTest.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/minizipTest.cpp
@@ -0,0 +1,29 @@
+typedef signed int int32_t;
+
+void *mz_zip_reader_create();
+int32_t mz_zip_reader_open_file(void *handle, const char *path);
+int32_t mz_zip_reader_goto_first_entry(void *pVoid);
+int32_t mz_zip_reader_entry_save(void *pVoid, int stream, int write);
+int32_t mz_zip_entry_read(void *pVoid, void *buf, int32_t i);
+void UnzOpen(const char *string);
+
+void *mz_zip_create();
+
+void minizip_test(int argc, const char **argv) {
+    void *zip_handle = mz_zip_create();
+    int32_t bytes_read;
+    char buf[4096];
+    while(true) {
+        bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf)); // BAD
+        if (bytes_read <= 0) {
+            break;
+        }
+    }
+
+    void *zip_reader = mz_zip_reader_create();
+    mz_zip_reader_open_file(zip_reader, argv[1]);
+    mz_zip_reader_goto_first_entry(zip_reader);
+    mz_zip_reader_entry_save(zip_reader, 0, 0); // BAD
+
+    UnzOpen(argv[3]); // BAD
+}
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zlibTest.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zlibTest.cpp
@@ -0,0 +1,86 @@
+typedef unsigned char Bytef;
+typedef unsigned long uLong;
+typedef uLong uLongf;
+typedef unsigned int uInt;
+
+struct z_stream {
+    Bytef *next_in;
+    Bytef *next_out;
+    uInt avail_out;
+};
+
+void inflateInit(z_stream *infstream);
+void inflate(z_stream *infstream, int i);
+void inflateEnd(z_stream *infstream);
+
+void UnsafeInflate(char *input) {
+    unsigned char output[1024];
+
+    z_stream infstream;
+    infstream.next_in = (Bytef *) input; // input char array
+    infstream.avail_out = sizeof(output); // size of output
+    infstream.next_out = output; // output char array
+
+    inflateInit(&infstream);
+    inflate(&infstream, 0); // BAD
+}
+
+
+struct gzFile {
+};
+
+gzFile gzopen(char *str, const char *rb);
+unsigned int gzread(gzFile gz_file, unsigned char *str, int i);
+bool gzfread(char *str, int i, int i1, gzFile gz_file);
+char *gzgets(gzFile gz_file, char *buffer, int i);
+
+void UnsafeGzread(char *fileName) {
+    gzFile inFileZ = gzopen(fileName, "rb");
+    unsigned char unzipBuffer[8192];
+    while (true) {
+        if (gzread(inFileZ, unzipBuffer, 8192) <= 0) { // BAD
+            break;
+        }
+    }
+}
+
+void UnsafeGzfread(char *fileName) {
+    gzFile inFileZ = gzopen(fileName, "rb");
+    while (true) {
+        char buffer[1000];
+        if (!gzfread(buffer, 999, 1, inFileZ)) { // BAD
+            break;
+        }
+    }
+}
+
+void UnsafeGzgets(char *fileName) {
+    gzFile inFileZ = gzopen(fileName, "rb");
+    char *buffer = new char[4000000000];
+    char *result;
+    while (true) {
+        result = gzgets(inFileZ, buffer, 1000000000); // BAD
+        if (result == nullptr) {
+            break;
+        }
+    }
+}
+
+int uncompress(Bytef *dest, uLongf *destLen, const Bytef *source, uLong sourceLen);
+
+void InflateString(char *input) {
+    unsigned char output[1024];
+
+    uLong source_length = 500;
+    uLong destination_length = sizeof(output);
+
+    uncompress(output, &destination_length, (Bytef *) input, source_length); // BAD
+}
+
+void zlib_test(int argc, char **argv) {
+    UnsafeGzfread(argv[2]);
+    UnsafeGzgets(argv[2]);
+    UnsafeInflate(argv[2]);
+    UnsafeGzread(argv[2]);
+    InflateString(argv[2]);
+}
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zstdTest.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zstdTest.cpp
@@ -0,0 +1,43 @@
+typedef long unsigned int size_t;
+struct FILE;
+
+FILE *fopen_orDie(const char *filename, const char *instruction);
+size_t fread_orDie(void *const pVoid, const size_t read, FILE *const pFile);
+void *const malloc_orDie(const size_t size);
+
+struct ZSTD_DCtx;
+typedef struct ZSTD_inBuffer_s {
+    const void *src;
+    size_t size;
+    size_t pos;
+} ZSTD_inBuffer;
+typedef struct ZSTD_outBuffer_s {
+    void *dst;
+    size_t size;
+    size_t pos;
+} ZSTD_outBuffer;
+
+const size_t ZSTD_DStreamInSize();
+const size_t ZSTD_DStreamOutSize();
+ZSTD_DCtx *const ZSTD_createDCtx();
+const size_t ZSTD_decompressStream(ZSTD_DCtx *const pCtx, ZSTD_outBuffer *pS, ZSTD_inBuffer *pS1);
+void CHECK_ZSTD(const size_t ret);
+
+void zstd_test(int argc, const char **argv) {
+    FILE *const fin = fopen_orDie(argv[1], "rb");
+    size_t const buffInSize = ZSTD_DStreamInSize();
+    void *const buffIn = malloc_orDie(buffInSize);
+    size_t const buffOutSize = ZSTD_DStreamOutSize();
+    void *const buffOut = malloc_orDie(buffOutSize);
+
+    ZSTD_DCtx *const dctx = ZSTD_createDCtx();
+    size_t read;
+    while ((read = fread_orDie(buffIn, buffInSize, fin))) {
+        ZSTD_inBuffer input = {buffIn, read, 0};
+        while (input.pos < input.size) {
+            ZSTD_outBuffer output = {buffOut, buffOutSize, 0};
+            size_t const ret = ZSTD_decompressStream(dctx, &output, &input); // BAD  
+            CHECK_ZSTD(ret);
+        }
+    }
+}
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE/CWE-409/DecompressionBombs.ql`