Merge pull request #6372 from geoffw0/uncontrolledarith

2026-04-29 10:45:15 +02:00 · 2021-08-03 17:53:39 +02:00
parent eaf3d3cc03 54253bc2eb
commit 8ce6335383
5 changed files with 198 additions and 12 deletions
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -74,8 +74,15 @@ private class RandS extends RandomFunction {

 predicate missingGuard(VariableAccess va, string effect) {
  exists(Operation op | op.getAnOperand() = va |
-    missingGuardAgainstUnderflow(op, va) and effect = "underflow"
+    // underflow - random numbers are usually non-negative, so underflow is
+    // only likely if the type is unsigned. Multiplication is also unlikely to
+    // cause underflow of a non-negative number.
+    missingGuardAgainstUnderflow(op, va) and
+    effect = "underflow" and
+    op.getUnspecifiedType().(IntegralType).isUnsigned() and
+    not op instanceof MulExpr
    or
+    // overflow
    missingGuardAgainstOverflow(op, va) and effect = "overflow"
  )
 }
@@ -108,6 +115,9 @@ class UncontrolledArithConfiguration extends TaintTracking::Configuration {
        op instanceof BitwiseAndExpr or
        op instanceof ComplementExpr
      ).getAnOperand*()
+    or
+    // block unintended flow to pointers
+    node.asExpr().getUnspecifiedType() instanceof PointerType
  }
 }