C++: Combine getOutputParameterIndex and isOutputStream.

2026-05-03 04:39:29 +02:00 · 2020-12-01 15:59:16 +00:00
parent c9c159ad0b
commit 7c00477736
6 changed files with 29 additions and 31 deletions
--- a/cpp/ql/src/semmle/code/cpp/commons/Printf.qll
+++ b/cpp/ql/src/semmle/code/cpp/commons/Printf.qll
@@ -128,13 +128,13 @@ class UserDefinedFormattingFunction extends FormattingFunction {

  override int getFormatParameterIndex() { callsVariadicFormatter(this, _, result, _) }

-  override int getOutputParameterIndex() {
-    callsVariadicFormatter(this, _, _, result) and not result = -1
+  override int getOutputParameterIndex(boolean isStream) {
+    callsVariadicFormatter(this, "f", _, result) and isStream = true
+    or
+    callsVariadicFormatter(this, "s", _, result) and isStream = false
  }

  override predicate isOutputGlobal() { callsVariadicFormatter(this, "", _, _) }
-
-  override predicate isOutputStream() { callsVariadicFormatter(this, "f", _, _) }
 }

 /**
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Printf.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Printf.qll
@@ -58,9 +58,7 @@ private class Fprintf extends FormattingFunction {

  deprecated override predicate isWideCharDefault() { hasGlobalOrStdName("fwprintf") }

-  override int getOutputParameterIndex() { result = 0 }
-
-  override predicate isOutputStream() { any() }
+  override int getOutputParameterIndex(boolean isStream) { result = 0 and isStream = true }
 }

 /**
@@ -113,7 +111,9 @@ private class Sprintf extends FormattingFunction {
    result = 1
  }

-  override int getOutputParameterIndex() { not hasGlobalName("g_strdup_printf") and result = 0 }
+  override int getOutputParameterIndex(boolean isStream) {
+    not hasGlobalName("g_strdup_printf") and result = 0 and isStream = false
+  }

  override int getFirstFormatArgumentIndex() {
    if hasGlobalName("__builtin___sprintf_chk")
@@ -168,7 +168,7 @@ private class SnprintfImpl extends Snprintf {
        .getSize() > 1
  }

-  override int getOutputParameterIndex() { result = 0 }
+  override int getOutputParameterIndex(boolean isStream) { result = 0 and isStream = false }

  override int getFirstFormatArgumentIndex() {
    exists(string name |
@@ -228,7 +228,7 @@ private class StringCchPrintf extends FormattingFunction {
        .getSize() > 1
  }

-  override int getOutputParameterIndex() { result = 0 }
+  override int getOutputParameterIndex(boolean isStream) { result = 0 and isStream = false }

  override int getSizeParameterIndex() { result = 1 }
 }
--- a/cpp/ql/src/semmle/code/cpp/models/interfaces/FormattingFunction.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/FormattingFunction.qll
@@ -109,12 +109,19 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction {
  }

  /**
-   * Gets the position at which the output parameter, if any, occurs. This may
-   * be a buffer that characters are written to if this function behaves like
-   * `sprintf`.  Alternatively it may be a stream that is used for output if
-   * this function behaves like `fprintf` (see `isOutputStream`).
+   * Gets the position at which the output parameter, if any, occurs. If
+   * `isStream` is `true`, the output parameter is a stream (that is, this
+   * function behaves like `fprintf`). If `isStream` is `false`, the output
+   * parameter is a buffer (that is, this function behaves like `sprintf`).
   */
-  int getOutputParameterIndex() { none() }
+  int getOutputParameterIndex(boolean isStream) { none() }
+
+  /**
+   * Gets the position at which the output parameter, if any, occurs.
+   *
+   * DEPRECATED: use `getOutputParameterIndex(boolean isStream)` instead.
+   */
+  deprecated int getOutputParameterIndex() { result = getOutputParameterIndex(_) }

  /**
   * Holds if this function outputs to a global stream such as standard output,
@@ -122,12 +129,6 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction {
   */
  predicate isOutputGlobal() { none() }

-  /**
-   * Holds if this function outputs to the stream indicated by
-   * `getOutputParameterIndex()`, that is, this function behaves like `fprintf`.
-   */
-  predicate isOutputStream() { none() }
-
  /**
   * Gets the position of the first format argument, corresponding with
   * the first format specifier in the format string.
@@ -156,20 +157,18 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction {
  }

  override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
-    bufParam = getOutputParameterIndex() and
+    bufParam = getOutputParameterIndex(false) and
    countParam = getSizeParameterIndex()
  }

  override predicate hasArrayWithUnknownSize(int bufParam) {
-    bufParam = getOutputParameterIndex() and
+    bufParam = getOutputParameterIndex(false) and
    not exists(getSizeParameterIndex())
  }

  override predicate hasArrayInput(int bufParam) { bufParam = getFormatParameterIndex() }

-  override predicate hasArrayOutput(int bufParam) {
-    bufParam = getOutputParameterIndex() and not isOutputStream()
-  }
+  override predicate hasArrayOutput(int bufParam) { bufParam = getOutputParameterIndex(false) }

  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    exists(int arg |
@@ -178,7 +177,7 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction {
        arg >= getFirstFormatArgumentIndex()
      ) and
      input.isParameterDeref(arg) and
-      output.isParameterDeref(getOutputParameterIndex())
+      output.isParameterDeref(getOutputParameterIndex(_))
    )
  }
 }
--- a/cpp/ql/src/semmle/code/cpp/security/BufferWrite.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/BufferWrite.qll
@@ -229,7 +229,7 @@ class SprintfBW extends BufferWriteCall {
    result = this.(FormattingFunctionCall).getFormatArgument(_)
  }

-  override Expr getDest() { result = getArgument(f.getOutputParameterIndex()) }
+  override Expr getDest() { result = getArgument(f.getOutputParameterIndex(false)) }

  override int getMaxData() {
    exists(FormatLiteral fl |
--- a/cpp/ql/src/semmle/code/cpp/security/FileWrite.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/FileWrite.qll
@@ -143,9 +143,8 @@ private predicate fileWrite(Call write, Expr source, Expr dest) {
    )
    or
    // fprintf
-    f.(FormattingFunction).isOutputStream() and
    s >= f.(FormattingFunction).getFormatParameterIndex() and
-    d = f.(FormattingFunction).getOutputParameterIndex()
+    d = f.(FormattingFunction).getOutputParameterIndex(true)
  )
  or
  // file stream using '<<', 'put' or 'write'
--- a/cpp/ql/src/semmle/code/cpp/security/TaintTrackingImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/TaintTrackingImpl.qll
@@ -478,7 +478,7 @@ private predicate copyValueBetweenArguments(Function f, int sourceArg, int destA
  or
  exists(FormattingFunction ff | ff = f |
    sourceArg in [ff.getFormatParameterIndex() .. maxArgIndex(f)] and
-    destArg = ff.getOutputParameterIndex()
+    destArg = ff.getOutputParameterIndex(false)
  )
 }