Merge branch 'main' into mathiasvp/array-field-flow

2026-05-05 13:45:19 +02:00 · 2020-09-16 10:45:31 +02:00
parent 50ad4cfec4 d828bc5f3a
commit 7b456d6162
94 changed files with 7573 additions and 1517 deletions
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
@@ -1,3 +1,5 @@
+| test2.cpp:14:11:14:11 | v | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
+| test2.cpp:14:11:14:11 | v | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
 | test3.c:15:10:15:10 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test3.c:11:15:11:18 | argv | User-provided value |
 | test3.c:15:14:15:14 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test3.c:11:15:11:18 | argv | User-provided value |
 | test3.c:15:18:15:18 | z | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test3.c:11:15:11:18 | argv | User-provided value |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.expected
@@ -1,9 +1,15 @@
+| test2.cpp:14:11:14:15 | ... * ... | $@ flows to here and is used in an expression which might overflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
+| test2.cpp:16:11:16:21 | ... * ... | $@ flows to here and is used in an expression which might overflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
+| test2.cpp:17:11:17:22 | ... * ... | $@ flows to here and is used in an expression which might overflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
 | test3.c:12:31:12:34 | * ... | $@ flows to here and is used in an expression which might overflow negatively. | test3.c:11:15:11:18 | argv | User-provided value |
 | test3.c:13:16:13:19 | * ... | $@ flows to here and is used in an expression which might overflow negatively. | test3.c:11:15:11:18 | argv | User-provided value |
 | test4.cpp:13:17:13:20 | access to array | $@ flows to here and is used in an expression which might overflow negatively. | test4.cpp:9:13:9:16 | argv | User-provided value |
 | test5.cpp:10:9:10:15 | call to strtoul | $@ flows to here and is used in an expression which might overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test5.cpp:17:6:17:27 | ... * ... | $@ flows to here and is used in an expression which might overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test5.cpp:19:6:19:13 | ... * ... | $@ flows to here and is used in an expression which might overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
+| test6.cpp:11:15:11:15 | s | $@ flows to here and is used in an expression which might overflow. | test6.cpp:39:23:39:24 | & ... | User-provided value |
+| test6.cpp:16:15:16:15 | s | $@ flows to here and is used in an expression which might overflow. | test6.cpp:39:23:39:24 | & ... | User-provided value |
+| test6.cpp:30:16:30:16 | s | $@ flows to here and is used in an expression which might overflow. | test6.cpp:39:23:39:24 | & ... | User-provided value |
 | test.c:14:15:14:35 | ... * ... | $@ flows to here and is used in an expression which might overflow. | test.c:11:29:11:32 | argv | User-provided value |
 | test.c:44:7:44:12 | ... -- | $@ flows to here and is used in an expression which might overflow negatively. | test.c:41:17:41:20 | argv | User-provided value |
 | test.c:54:7:54:12 | ... -- | $@ flows to here and is used in an expression which might overflow negatively. | test.c:51:17:51:20 | argv | User-provided value |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test2.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test2.cpp
@@ -0,0 +1,28 @@
+
+typedef signed long long int s64;
+
+typedef struct {} FILE;
+int fscanf(FILE *stream, const char *format, ...);
+FILE *stdin;
+
+typedef struct _myStruct {
+	s64 val;
+} MyStruct;
+
+void test2_sink(s64 v, MyStruct s, MyStruct &s_r, MyStruct *s_p)
+{
+	s64 v1 = v * 2; // bad
+	s64 v2 = s.val * 2; // bad [NOT DETECTED]
+	s64 v3 = s_r.val * 2; // bad
+	s64 v4 = s_p->val * 2; // bad
+}
+
+void test2_source()
+{
+	MyStruct ms;
+	s64 v;
+
+	fscanf(stdin, "%i", &v);
+	ms.val = v;
+	test2_sink(v, ms, ms, &ms);
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test6.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test6.cpp
@@ -0,0 +1,54 @@
+
+typedef unsigned short u16;
+typedef unsigned int u32;
+
+typedef struct {} FILE;
+int fscanf(FILE *stream, const char *format, ...);
+FILE *stdin;
+
+void docast1(u32 s)
+{
+	u16 c = (u16)s; // bad
+}
+
+void docast2(u32 s)
+{
+	u16 c = (u16)s; // bad
+}
+
+class MyBaseClass
+{
+public:
+	virtual void docast(u32 s) = 0;
+};
+
+class MyDerivedClass : public MyBaseClass
+{
+public:
+	void docast(u32 s)
+	{
+		u16 c = (u16)s; // bad
+	}
+};
+
+void test6()
+{
+    u32 s;
+
+	s = -1;
+	fscanf(stdin, "%hd", &s);
+
+	docast1(s);
+	{
+		void (*docast2_ptr)(u32) = &docast2;
+	
+		docast2_ptr(s);
+	}
+	{
+		MyBaseClass *mbc = new MyDerivedClass;
+
+		mbc->docast(s);
+
+		delete mbc;
+	}
+}