Merge pull request #6495 from andersfugmann/more_buffer_overrun_tests

More buffer overrun tests
2026-04-26 09:15:12 +02:00 · 2021-08-17 16:18:36 +02:00
parent 50a4345235 666d5917fa
commit 88372df125
2 changed files with 40 additions and 1 deletions
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/test_buffer_overrun.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/test_buffer_overrun.cpp
@@ -0,0 +1,39 @@
+typedef unsigned char uint8_t;
+#define SIZE (32)
+
+void test_buffer_overrun_in_for_loop()
+{
+    uint8_t data[SIZE] = {0};
+    for (int x = 0; x < SIZE * 2; x++) {
+        data[x] = 0x41; // BAD [NOT DETECTED]
+    }
+}
+
+void test_buffer_overrun_in_while_loop_using_pointer_arithmetic()
+{
+    uint8_t data[SIZE] = {0};
+    int offset = 0;
+    while (offset < SIZE * 2) {
+        *(data + offset) = 0x41; // BAD [NOT DETECTED]
+        offset++;
+    }
+}
+
+void test_buffer_overrun_in_while_loop_using_array_indexing()
+{
+    uint8_t data[SIZE] = {0};
+    int offset = 0;
+    while (offset < SIZE * 2) {
+        data[offset] = 0x41; // BAD [NOT DETECTED]
+        offset++;
+    }
+}
+
+int main(int argc, char *argv[])
+{
+    test_buffer_overrun_in_for_loop();
+    test_buffer_overrun_in_while_loop_using_pointer_arithmetic();
+    test_buffer_overrun_in_while_loop_using_array_indexing();
+
+    return 0;
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
@@ -114,7 +114,7 @@ void test6(bool cond)
 	
 	c = 100;
 	buffer[c] = 'x'; // BAD: over-write [NOT DETECTED]
-	ch = buffer[c]; // BAD: under-read [NOT DETECTED]
+	ch = buffer[c]; // BAD: over-read [NOT DETECTED]

 	d = 0;
 	d = 1000;