mirror of
https://github.com/github/codeql.git
synced 2025-12-21 19:26:31 +01:00
C++: convert to path-problem
This commit is contained in:
Robert Marsh
@@ -1,6 +1,6 @@
|
|||||||
/**
|
/**
|
||||||
* @id cpp/constant-size-array-off-by-one
|
* @id cpp/constant-size-array-off-by-one
|
||||||
* @kind problem
|
* @kind path-problem
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import experimental.semmle.code.cpp.semantic.analysis.RangeAnalysis
|
import experimental.semmle.code.cpp.semantic.analysis.RangeAnalysis
|
||||||
@@ -10,6 +10,8 @@ import semmle.code.cpp.ir.IR
|
|||||||
import experimental.semmle.code.cpp.ir.dataflow.DataFlow
|
import experimental.semmle.code.cpp.ir.dataflow.DataFlow
|
||||||
import experimental.semmle.code.cpp.ir.dataflow.DataFlow2
|
import experimental.semmle.code.cpp.ir.dataflow.DataFlow2
|
||||||
|
|
||||||
|
import DataFlow2::PathGraph
|
||||||
|
|
||||||
pragma[nomagic]
|
pragma[nomagic]
|
||||||
Instruction getABoundIn(SemBound b, IRFunction func) {
|
Instruction getABoundIn(SemBound b, IRFunction func) {
|
||||||
result = b.getExpr(0) and
|
result = b.getExpr(0) and
|
||||||
@@ -89,12 +91,12 @@ class PointerArithmeticToDerefConf extends DataFlow2::Configuration {
|
|||||||
}
|
}
|
||||||
|
|
||||||
from
|
from
|
||||||
Field f, DataFlow::Node source, DataFlow::Node sink, Instruction deref,
|
Field f, DataFlow2::PathNode source, DataFlow2::PathNode sink, Instruction deref,
|
||||||
PointerArithmeticToDerefConf conf, string operation, int delta
|
PointerArithmeticToDerefConf conf, string operation, int delta
|
||||||
where
|
where
|
||||||
conf.hasFlow(source, sink) and
|
conf.hasFlowPath(source, sink) and
|
||||||
isInvalidPointerDerefSink(sink, deref, operation) and
|
isInvalidPointerDerefSink(sink.getNode(), deref, operation) and
|
||||||
isConstantSizeOverflowSource(f, source.asInstruction(), delta)
|
isConstantSizeOverflowSource(f, source.getNode().asInstruction(), delta)
|
||||||
select source,
|
select source, source, sink,
|
||||||
"This pointer arithmetic may have an off-by-" + (delta + 1) +
|
"This pointer arithmetic may have an off-by-" + (delta + 1) +
|
||||||
" error allowing it to overrun $@ at this $@.", f, f.getName(), deref, operation
|
" error allowing it to overrun $@ at this $@.", f, f.getName(), deref, operation
|
||||||
|
|||||||
@@ -1,9 +1,37 @@
|
|||||||
| test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write |
|
edges
|
||||||
| test.cpp:36:5:36:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:36:5:36:28 | Store: ... = ... | write |
|
| test.cpp:66:32:66:32 | p | test.cpp:66:32:66:32 | Load |
|
||||||
| test.cpp:43:9:43:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:43:9:43:23 | Store: ... = ... | write |
|
| test.cpp:66:32:66:32 | p | test.cpp:67:5:67:6 | * ... |
|
||||||
| test.cpp:49:5:49:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:49:5:49:26 | Store: ... = ... | write |
|
| test.cpp:66:32:66:32 | p | test.cpp:67:6:67:6 | Load |
|
||||||
| test.cpp:50:5:50:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:50:5:50:28 | Store: ... = ... | write |
|
| test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p |
|
||||||
| test.cpp:57:9:57:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:57:9:57:23 | Store: ... = ... | write |
|
| test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p |
|
||||||
| test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write |
|
| test.cpp:77:27:77:44 | access to array | test.cpp:77:26:77:44 | & ... |
|
||||||
| test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write |
|
nodes
|
||||||
| test.cpp:77:27:77:44 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
|
| test.cpp:35:5:35:22 | access to array | semmle.label | access to array |
|
||||||
|
| test.cpp:36:5:36:24 | access to array | semmle.label | access to array |
|
||||||
|
| test.cpp:43:9:43:19 | access to array | semmle.label | access to array |
|
||||||
|
| test.cpp:49:5:49:22 | access to array | semmle.label | access to array |
|
||||||
|
| test.cpp:50:5:50:24 | access to array | semmle.label | access to array |
|
||||||
|
| test.cpp:57:9:57:19 | access to array | semmle.label | access to array |
|
||||||
|
| test.cpp:61:9:61:19 | access to array | semmle.label | access to array |
|
||||||
|
| test.cpp:66:32:66:32 | Load | semmle.label | Load |
|
||||||
|
| test.cpp:66:32:66:32 | p | semmle.label | p |
|
||||||
|
| test.cpp:66:32:66:32 | p | semmle.label | p |
|
||||||
|
| test.cpp:67:5:67:6 | * ... | semmle.label | * ... |
|
||||||
|
| test.cpp:67:6:67:6 | Load | semmle.label | Load |
|
||||||
|
| test.cpp:72:5:72:15 | access to array | semmle.label | access to array |
|
||||||
|
| test.cpp:77:26:77:44 | & ... | semmle.label | & ... |
|
||||||
|
| test.cpp:77:27:77:44 | access to array | semmle.label | access to array |
|
||||||
|
subpaths
|
||||||
|
#select
|
||||||
|
| test.cpp:35:5:35:22 | access to array | test.cpp:35:5:35:22 | access to array | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write |
|
||||||
|
| test.cpp:36:5:36:24 | access to array | test.cpp:36:5:36:24 | access to array | test.cpp:36:5:36:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:36:5:36:28 | Store: ... = ... | write |
|
||||||
|
| test.cpp:43:9:43:19 | access to array | test.cpp:43:9:43:19 | access to array | test.cpp:43:9:43:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:43:9:43:23 | Store: ... = ... | write |
|
||||||
|
| test.cpp:49:5:49:22 | access to array | test.cpp:49:5:49:22 | access to array | test.cpp:49:5:49:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:49:5:49:26 | Store: ... = ... | write |
|
||||||
|
| test.cpp:50:5:50:24 | access to array | test.cpp:50:5:50:24 | access to array | test.cpp:50:5:50:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:50:5:50:28 | Store: ... = ... | write |
|
||||||
|
| test.cpp:57:9:57:19 | access to array | test.cpp:57:9:57:19 | access to array | test.cpp:57:9:57:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:57:9:57:23 | Store: ... = ... | write |
|
||||||
|
| test.cpp:61:9:61:19 | access to array | test.cpp:61:9:61:19 | access to array | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write |
|
||||||
|
| test.cpp:72:5:72:15 | access to array | test.cpp:72:5:72:15 | access to array | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write |
|
||||||
|
| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:66:32:66:32 | Load | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
|
||||||
|
| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
|
||||||
|
| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:67:5:67:6 | * ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
|
||||||
|
| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:67:6:67:6 | Load | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
|
||||||
|
|||||||
Reference in New Issue
Block a user