hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 04:39:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

CPP: Tests: CWE-120 test cases for calloc, realloc and new.

Browse Source
This commit is contained in:
Geoffrey White
2019-11-22 13:38:44 +00:00
parent d67ea4d768
commit a2c0532a84
2 changed files with 55 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/OverrunWrite.expected
View File

@@ -1,3 +1,10 @@
| tests2.cpp:17:3:17:8 | call to wcscpy | This 'call to wcscpy' operation requires 12 bytes but the destination is only 8 bytes. |
| tests2.cpp:22:3:22:8 | call to wcscpy | This 'call to wcscpy' operation requires 16 bytes but the destination is only 12 bytes. |
| tests2.cpp:27:3:27:8 | call to wcscpy | This 'call to wcscpy' operation requires 20 bytes but the destination is only 16 bytes. |
| tests2.cpp:31:3:31:8 | call to wcscpy | This 'call to wcscpy' operation requires 24 bytes but the destination is only 20 bytes. |
| tests2.cpp:36:3:36:8 | call to wcscpy | This 'call to wcscpy' operation requires 28 bytes but the destination is only 24 bytes. |
| tests2.cpp:41:3:41:8 | call to wcscpy | This 'call to wcscpy' operation requires 32 bytes but the destination is only 28 bytes. |
| tests2.cpp:46:3:46:8 | call to wcscpy | This 'call to wcscpy' operation requires 36 bytes but the destination is only 32 bytes. |
| tests.c:54:3:54:9 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 10 bytes. |
| tests.c:58:3:58:9 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 10 bytes. |
| tests.c:62:17:62:24 | buffer10 | This 'scanf string argument' operation requires 11 bytes but the destination is only 10 bytes. |

48
cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests2.cpp Normal file
View File

@@ -0,0 +1,48 @@
// library types, functions etc
typedef unsigned long size_t;
void *malloc(size_t size);
void *realloc(void *ptr, size_t size);
void *calloc(size_t nmemb, size_t size);
void free(void *ptr);
wchar_t *wcscpy(wchar_t *s1, const wchar_t *s2);
// --- Semmle tests ---
void tests2() {
wchar_t *buffer;
buffer = (wchar_t *)malloc(2 * sizeof(wchar_t));
wcscpy(buffer, L"1"); // GOOD
wcscpy(buffer, L"12"); // BAD: buffer overflow
free(buffer);
buffer = (wchar_t *)malloc(3 * sizeof(wchar_t));
wcscpy(buffer, L"12"); // GOOD
wcscpy(buffer, L"123"); // BAD: buffer overflow
free(buffer);
buffer = (wchar_t *)realloc(0, 4 * sizeof(wchar_t));
wcscpy(buffer, L"123"); // GOOD
wcscpy(buffer, L"1234"); // BAD: buffer overflow
buffer = (wchar_t *)realloc(buffer, 5 * sizeof(wchar_t));
wcscpy(buffer, L"1234"); // GOOD
wcscpy(buffer, L"12345"); // BAD: buffer overflow
free(buffer);
buffer = (wchar_t *)calloc(6, sizeof(wchar_t));
wcscpy(buffer, L"12345"); // GOOD
wcscpy(buffer, L"123456"); // BAD: buffer overflow
free(buffer);
buffer = (wchar_t *)calloc(sizeof(wchar_t), 7);
wcscpy(buffer, L"123456"); // GOOD
wcscpy(buffer, L"1234567"); // BAD: buffer overflow
free(buffer);
buffer = new wchar_t[8];
wcscpy(buffer, L"1234567"); // GOOD
wcscpy(buffer, L"12345678"); // BAD: buffer overflow
delete [] buffer;
}