C++: Properly handle conversions in convertedExprMayThrow. This recursive implementation idea is stolen from convertedExprMightOverflow in SimpleRangeAnalysis.

2026-04-30 19:26:02 +02:00 · 2021-05-07 12:31:43 +02:00
parent 7adb7b67f2
commit 90e8368258
3 changed files with 7 additions and 5 deletions
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -107,7 +107,11 @@ predicate stmtMayThrow(Stmt stmt) {
 }

 /** Holds if the evaluation of `e` (including conversions) may throw an exception. */
-predicate convertedExprMayThrow(Expr e) { exprMayThrow(e.getFullyConverted()) }
+predicate convertedExprMayThrow(Expr e) {
+  exprMayThrow(e)
+  or
+  convertedExprMayThrow(e.getConversion())
+}

 /** Holds if the evaluation of `e` may throw an exception. */
 predicate exprMayThrow(Expr e) {
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
@@ -14,6 +14,4 @@
 | test.cpp:93:15:93:41 | new[] | This allocation cannot throw. $@ is unnecessary. | test.cpp:97:36:98:3 | { ... } | This catch block |
 | test.cpp:96:10:96:36 | new[] | This allocation cannot throw. $@ is unnecessary. | test.cpp:97:36:98:3 | { ... } | This catch block |
 | test.cpp:151:9:151:24 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:152:15:152:18 | { ... } | This catch block |
-| test.cpp:199:15:199:35 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:201:16:201:19 | { ... } | This catch block |
 | test.cpp:212:14:212:34 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:213:34:213:36 | { ... } | This catch block |
-| test.cpp:225:23:225:29 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:226:34:226:36 | { ... } | This catch block |
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
@@ -196,7 +196,7 @@ void good_new_with_throwing_call() {

 void bad_new_with_nonthrowing_call() {
  try {
-    int* p1 = new(std::nothrow) int; // BAD
+    int* p1 = new(std::nothrow) int; // BAD [NOT DETECTED]
    calls_non_throwing(p1);
  } catch(...) {  }

@@ -222,6 +222,6 @@ void good_new_catch_exception_in_assignment() {

 void good_new_catch_exception_in_conversion() {
  try {
-    long* p = (long*) new int; // GOOD [FALSE POSITIVE]
+    long* p = (long*) new int; // GOOD
  } catch(const std::bad_alloc&) { }
 }