C++: split cpp/overrunning-write into two

This splits the `cpp/overruning-write` into two separate queries based off on the reason for the estimation. If the overrun is detected based on non-trivial range analysis, the results are now marked by the new `cpp/very-likely-overruning-write` high precision query. If it is based on less precise, usually type based bounds, then it will still be marked by `cpp/overruning-write` which remains at medium precision.
2025-12-17 01:03:14 +01:00 · 2021-12-14 10:01:53 +00:00
parent 40ad88ba53
commit a0059202db
12 changed files with 75 additions and 37 deletions
--- a/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
@@ -0,0 +1,34 @@
+/**
+ * @name Likely overrunning write based on non-trivial analysis of value ranges
+ * @description Buffer write operations that do not control the length
+ *              of data written may overflow
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 9.3
+ * @precision high
+ * @id cpp/very-likely-overrunning-write
+ * @tags reliability
+ *       security
+ *       external/cwe/cwe-120
+ *       external/cwe/cwe-787
+ *       external/cwe/cwe-805
+ */
+
+import semmle.code.cpp.security.BufferWrite
+import semmle.code.cpp.commons.Alloc
+
+/*
+ * See CWE-120/UnboundedWrite.ql for a summary of CWE-120 alert cases.
+ */
+
+from BufferWrite bw, Expr dest, int destSize, int estimated, ValueFlowAnalysis reason
+where
+  not bw.hasExplicitLimit() and // has no explicit size limit
+  dest = bw.getDest() and
+  destSize = getBufferSize(dest, _) and
+  estimated = bw.getMaxDataLimited(reason) and
+  // we can deduce from non-trivial range analysis that too much data may be copied
+  estimated > destSize
+select bw,
+  "This '" + bw.getBWDesc() + "' operation requires " + estimated +
+    " bytes but the destination is only " + destSize + " bytes."