C++: Add test where buffer initialized with literal is reassigned an allocation

cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/BadlyBoundedWrite.expected

@@ -1,2 +1,6 @@
+| tests2.cpp:59:3:59:10 | call to snprintf | This 'call to snprintf' operation is limited to 13 bytes but the destination is only 0 bytes. |
+| tests2.cpp:59:3:59:10 | call to snprintf | This 'call to snprintf' operation is limited to 13 bytes but the destination is only 2 bytes. |
+| tests2.cpp:63:3:63:10 | call to snprintf | This 'call to snprintf' operation is limited to 13 bytes but the destination is only 0 bytes. |
+| tests2.cpp:63:3:63:10 | call to snprintf | This 'call to snprintf' operation is limited to 13 bytes but the destination is only 3 bytes. |
 | tests.c:43:3:43:10 | call to snprintf | This 'call to snprintf' operation is limited to 111 bytes but the destination is only 110 bytes. |
 | tests.c:46:3:46:10 | call to snprintf | This 'call to snprintf' operation is limited to 111 bytes but the destination is only 110 bytes. |

cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests2.cpp

@@ -6,6 +6,7 @@ void *realloc(void *ptr, size_t size);
 void *calloc(size_t nmemb, size_t size); 
 void free(void *ptr);
 wchar_t *wcscpy(wchar_t *s1, const wchar_t *s2); 
+int snprintf(char *s, size_t n, const char *format, ...);
 
 // --- Semmle tests ---
 
@@ -46,3 +47,18 @@ void tests2() {
   wcscpy(buffer, L"12345678"); // BAD: buffer overflow
   delete [] buffer;
 }
+
+char* dest1 = "a";
+char* dest2 = "abcdefghijklmnopqrstuvwxyz";
+
+void test3() {
+  const char src[] = "abcdefghijkl";
+  dest1 = (char*)malloc(sizeof(src));
+  if (!dest1)
+    return;
+  snprintf(dest1, sizeof(src), "%s", src); // GOOD [FALSE POSITIVE]
+  dest2 = (char*)malloc(3);
+  if (!dest2)
+    return;
+  snprintf(dest2, sizeof(src), "%s", src); // BAD: buffer overflow
+}