Merge branch 'main' into typos

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -1066,6 +1066,10 @@ private module GetConvertedResultExpression {
   private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedExpr
   private import semmle.code.cpp.ir.implementation.raw.internal.InstructionTag
 
+  private Operand getAnInitializeDynamicAllocationInstructionAddress() {
+    result = any(InitializeDynamicAllocationInstruction init).getAllocationAddressOperand()
+  }
+
   /**
    * Gets the expression that should be returned as the result expression from `instr`.
    *
@@ -1074,7 +1078,16 @@ private module GetConvertedResultExpression {
    */
   Expr getConvertedResultExpression(Instruction instr, int n) {
     // Only fully converted instructions have a result for `asConvertedExpr`
-    not conversionFlow(unique( | | getAUse(instr)), _, false, false) and
+    not conversionFlow(unique(Operand op |
+        // The address operand of a `InitializeDynamicAllocationInstruction` is
+        // special: we need to handle it during dataflow (since it's
+        // effectively a store to an indirection), but it doesn't appear in
+        // source syntax, so dataflow node <-> expression conversion shouldn't
+        // care about it.
+        op = getAUse(instr) and not op = getAnInitializeDynamicAllocationInstructionAddress()
+      |
+        op
+      ), _, false, false) and
     result = getConvertedResultExpressionImpl(instr) and
     n = 0
     or

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected

@@ -47,25 +47,19 @@ edges
 | test.cpp:207:17:207:19 | str indirection [string] | test.cpp:207:22:207:27 | string |
 | test.cpp:214:24:214:24 | p | test.cpp:216:10:216:10 | p |
 | test.cpp:220:27:220:54 | call to malloc | test.cpp:222:15:222:20 | buffer |
-| test.cpp:220:43:220:48 | call to malloc | test.cpp:222:15:222:20 | buffer |
 | test.cpp:222:15:222:20 | buffer | test.cpp:214:24:214:24 | p |
 | test.cpp:228:27:228:54 | call to malloc | test.cpp:232:10:232:15 | buffer |
-| test.cpp:228:43:228:48 | call to malloc | test.cpp:232:10:232:15 | buffer |
 | test.cpp:235:40:235:45 | buffer | test.cpp:236:5:236:26 | ... = ... |
 | test.cpp:236:5:236:26 | ... = ... | test.cpp:236:12:236:17 | p_str indirection [post update] [string] |
 | test.cpp:241:20:241:38 | call to malloc | test.cpp:242:22:242:27 | buffer |
-| test.cpp:241:27:241:32 | call to malloc | test.cpp:242:22:242:27 | buffer |
 | test.cpp:242:16:242:19 | set_string output argument [string] | test.cpp:243:12:243:14 | str indirection [string] |
 | test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer |
 | test.cpp:242:22:242:27 | buffer | test.cpp:242:16:242:19 | set_string output argument [string] |
 | test.cpp:243:12:243:14 | str indirection [string] | test.cpp:243:12:243:21 | string |
 | test.cpp:249:14:249:33 | call to my_alloc | test.cpp:250:12:250:12 | p |
 | test.cpp:256:9:256:25 | call to malloc | test.cpp:257:12:257:12 | p |
-| test.cpp:256:17:256:22 | call to malloc | test.cpp:257:12:257:12 | p |
 | test.cpp:262:15:262:30 | call to malloc | test.cpp:266:12:266:12 | p |
-| test.cpp:262:22:262:27 | call to malloc | test.cpp:266:12:266:12 | p |
 | test.cpp:264:13:264:30 | call to malloc | test.cpp:266:12:266:12 | p |
-| test.cpp:264:20:264:25 | call to malloc | test.cpp:266:12:266:12 | p |
 nodes
 | test.cpp:16:11:16:21 | mk_string_t indirection [string] | semmle.label | mk_string_t indirection [string] |
 | test.cpp:18:5:18:30 | ... = ... | semmle.label | ... = ... |
@@ -116,16 +110,13 @@ nodes
 | test.cpp:214:24:214:24 | p | semmle.label | p |
 | test.cpp:216:10:216:10 | p | semmle.label | p |
 | test.cpp:220:27:220:54 | call to malloc | semmle.label | call to malloc |
-| test.cpp:220:43:220:48 | call to malloc | semmle.label | call to malloc |
 | test.cpp:222:15:222:20 | buffer | semmle.label | buffer |
 | test.cpp:228:27:228:54 | call to malloc | semmle.label | call to malloc |
-| test.cpp:228:43:228:48 | call to malloc | semmle.label | call to malloc |
 | test.cpp:232:10:232:15 | buffer | semmle.label | buffer |
 | test.cpp:235:40:235:45 | buffer | semmle.label | buffer |
 | test.cpp:236:5:236:26 | ... = ... | semmle.label | ... = ... |
 | test.cpp:236:12:236:17 | p_str indirection [post update] [string] | semmle.label | p_str indirection [post update] [string] |
 | test.cpp:241:20:241:38 | call to malloc | semmle.label | call to malloc |
-| test.cpp:241:27:241:32 | call to malloc | semmle.label | call to malloc |
 | test.cpp:242:16:242:19 | set_string output argument [string] | semmle.label | set_string output argument [string] |
 | test.cpp:242:22:242:27 | buffer | semmle.label | buffer |
 | test.cpp:243:12:243:14 | str indirection [string] | semmle.label | str indirection [string] |
@@ -133,12 +124,9 @@ nodes
 | test.cpp:249:14:249:33 | call to my_alloc | semmle.label | call to my_alloc |
 | test.cpp:250:12:250:12 | p | semmle.label | p |
 | test.cpp:256:9:256:25 | call to malloc | semmle.label | call to malloc |
-| test.cpp:256:17:256:22 | call to malloc | semmle.label | call to malloc |
 | test.cpp:257:12:257:12 | p | semmle.label | p |
 | test.cpp:262:15:262:30 | call to malloc | semmle.label | call to malloc |
-| test.cpp:262:22:262:27 | call to malloc | semmle.label | call to malloc |
 | test.cpp:264:13:264:30 | call to malloc | semmle.label | call to malloc |
-| test.cpp:264:20:264:25 | call to malloc | semmle.label | call to malloc |
 | test.cpp:266:12:266:12 | p | semmle.label | p |
 subpaths
 | test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer | test.cpp:236:12:236:17 | p_str indirection [post update] [string] | test.cpp:242:16:242:19 | set_string output argument [string] |
@@ -159,7 +147,5 @@ subpaths
 | test.cpp:203:9:203:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:203:22:203:27 | string | This write may overflow $@ by 2 elements. | test.cpp:203:22:203:27 | string | string |
 | test.cpp:207:9:207:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:207:22:207:27 | string | This write may overflow $@ by 3 elements. | test.cpp:207:22:207:27 | string | string |
 | test.cpp:243:5:243:10 | call to memset | test.cpp:241:20:241:38 | call to malloc | test.cpp:243:12:243:21 | string | This write may overflow $@ by 1 element. | test.cpp:243:16:243:21 | string | string |
-| test.cpp:243:5:243:10 | call to memset | test.cpp:241:27:241:32 | call to malloc | test.cpp:243:12:243:21 | string | This write may overflow $@ by 1 element. | test.cpp:243:16:243:21 | string | string |
 | test.cpp:250:5:250:10 | call to memset | test.cpp:249:14:249:33 | call to my_alloc | test.cpp:250:12:250:12 | p | This write may overflow $@ by 1 element. | test.cpp:250:12:250:12 | p | p |
 | test.cpp:266:5:266:10 | call to memset | test.cpp:262:15:262:30 | call to malloc | test.cpp:266:12:266:12 | p | This write may overflow $@ by 1 element. | test.cpp:266:12:266:12 | p | p |
-| test.cpp:266:5:266:10 | call to memset | test.cpp:262:22:262:27 | call to malloc | test.cpp:266:12:266:12 | p | This write may overflow $@ by 1 element. | test.cpp:266:12:266:12 | p | p |

cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.expected

@@ -1,9 +1,9 @@
 edges
-| test.cpp:4:15:4:20 | call to malloc | test.cpp:5:15:5:22 | ... + ... |
-| test.cpp:4:15:4:20 | call to malloc | test.cpp:5:15:5:22 | ... + ... |
-| test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | * ... |
-| test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | * ... |
-| test.cpp:4:15:4:20 | call to malloc | test.cpp:8:14:8:21 | * ... |
+| test.cpp:4:15:4:33 | call to malloc | test.cpp:5:15:5:22 | ... + ... |
+| test.cpp:4:15:4:33 | call to malloc | test.cpp:5:15:5:22 | ... + ... |
+| test.cpp:4:15:4:33 | call to malloc | test.cpp:6:14:6:15 | * ... |
+| test.cpp:4:15:4:33 | call to malloc | test.cpp:6:14:6:15 | * ... |
+| test.cpp:4:15:4:33 | call to malloc | test.cpp:8:14:8:21 | * ... |
 | test.cpp:5:15:5:22 | ... + ... | test.cpp:5:15:5:22 | ... + ... |
 | test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... |
 | test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... |
@@ -12,12 +12,12 @@ edges
 | test.cpp:5:15:5:22 | ... + ... | test.cpp:8:14:8:21 | * ... |
 | test.cpp:5:15:5:22 | ... + ... | test.cpp:8:14:8:21 | * ... |
 | test.cpp:6:14:6:15 | * ... | test.cpp:8:14:8:21 | * ... |
-| test.cpp:16:15:16:20 | call to malloc | test.cpp:20:14:20:21 | * ... |
-| test.cpp:28:15:28:20 | call to malloc | test.cpp:29:15:29:28 | ... + ... |
-| test.cpp:28:15:28:20 | call to malloc | test.cpp:29:15:29:28 | ... + ... |
-| test.cpp:28:15:28:20 | call to malloc | test.cpp:30:14:30:15 | * ... |
-| test.cpp:28:15:28:20 | call to malloc | test.cpp:30:14:30:15 | * ... |
-| test.cpp:28:15:28:20 | call to malloc | test.cpp:32:14:32:21 | * ... |
+| test.cpp:16:15:16:33 | call to malloc | test.cpp:20:14:20:21 | * ... |
+| test.cpp:28:15:28:37 | call to malloc | test.cpp:29:15:29:28 | ... + ... |
+| test.cpp:28:15:28:37 | call to malloc | test.cpp:29:15:29:28 | ... + ... |
+| test.cpp:28:15:28:37 | call to malloc | test.cpp:30:14:30:15 | * ... |
+| test.cpp:28:15:28:37 | call to malloc | test.cpp:30:14:30:15 | * ... |
+| test.cpp:28:15:28:37 | call to malloc | test.cpp:32:14:32:21 | * ... |
 | test.cpp:29:15:29:28 | ... + ... | test.cpp:29:15:29:28 | ... + ... |
 | test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... |
 | test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... |
@@ -26,22 +26,9 @@ edges
 | test.cpp:29:15:29:28 | ... + ... | test.cpp:32:14:32:21 | * ... |
 | test.cpp:29:15:29:28 | ... + ... | test.cpp:32:14:32:21 | * ... |
 | test.cpp:30:14:30:15 | * ... | test.cpp:32:14:32:21 | * ... |
-| test.cpp:40:15:40:20 | call to malloc | test.cpp:41:15:41:28 | ... + ... |
-| test.cpp:40:15:40:20 | call to malloc | test.cpp:41:15:41:28 | ... + ... |
-| test.cpp:40:15:40:20 | call to malloc | test.cpp:42:14:42:15 | * ... |
-| test.cpp:40:15:40:20 | call to malloc | test.cpp:42:14:42:15 | * ... |
-| test.cpp:40:15:40:20 | call to malloc | test.cpp:44:14:44:21 | * ... |
-| test.cpp:41:15:41:28 | ... + ... | test.cpp:41:15:41:28 | ... + ... |
-| test.cpp:41:15:41:28 | ... + ... | test.cpp:42:14:42:15 | * ... |
-| test.cpp:41:15:41:28 | ... + ... | test.cpp:42:14:42:15 | * ... |
-| test.cpp:41:15:41:28 | ... + ... | test.cpp:42:14:42:15 | * ... |
-| test.cpp:41:15:41:28 | ... + ... | test.cpp:42:14:42:15 | * ... |
-| test.cpp:41:15:41:28 | ... + ... | test.cpp:44:14:44:21 | * ... |
-| test.cpp:41:15:41:28 | ... + ... | test.cpp:44:14:44:21 | * ... |
-| test.cpp:42:14:42:15 | * ... | test.cpp:44:14:44:21 | * ... |
 | test.cpp:51:33:51:35 | end | test.cpp:60:34:60:37 | mk_array output argument |
-| test.cpp:52:19:52:24 | call to malloc | test.cpp:53:5:53:23 | ... = ... |
-| test.cpp:52:19:52:24 | call to malloc | test.cpp:53:12:53:23 | ... + ... |
+| test.cpp:52:19:52:37 | call to malloc | test.cpp:53:5:53:23 | ... = ... |
+| test.cpp:52:19:52:37 | call to malloc | test.cpp:53:12:53:23 | ... + ... |
 | test.cpp:53:5:53:23 | ... = ... | test.cpp:51:33:51:35 | end |
 | test.cpp:53:12:53:23 | ... + ... | test.cpp:53:5:53:23 | ... = ... |
 | test.cpp:60:34:60:37 | mk_array output argument | test.cpp:67:9:67:14 | ... = ... |
@@ -183,8 +170,8 @@ edges
 | test.cpp:781:14:781:27 | new[] | test.cpp:786:18:786:27 | access to array |
 | test.cpp:792:60:792:62 | end | test.cpp:800:40:800:43 | mk_array_no_field_flow output argument |
 | test.cpp:792:60:792:62 | end | test.cpp:832:40:832:43 | mk_array_no_field_flow output argument |
-| test.cpp:793:14:793:19 | call to malloc | test.cpp:794:5:794:24 | ... = ... |
-| test.cpp:793:14:793:19 | call to malloc | test.cpp:794:12:794:24 | ... + ... |
+| test.cpp:793:14:793:32 | call to malloc | test.cpp:794:5:794:24 | ... = ... |
+| test.cpp:793:14:793:32 | call to malloc | test.cpp:794:12:794:24 | ... + ... |
 | test.cpp:794:5:794:24 | ... = ... | test.cpp:792:60:792:62 | end |
 | test.cpp:794:12:794:24 | ... + ... | test.cpp:794:5:794:24 | ... = ... |
 | test.cpp:800:40:800:43 | mk_array_no_field_flow output argument | test.cpp:807:7:807:12 | ... = ... |
@@ -193,29 +180,25 @@ edges
 | test.cpp:815:52:815:54 | end | test.cpp:821:7:821:12 | ... = ... |
 | test.cpp:832:40:832:43 | mk_array_no_field_flow output argument | test.cpp:833:37:833:39 | end |
 | test.cpp:833:37:833:39 | end | test.cpp:815:52:815:54 | end |
+| test.cpp:841:18:841:35 | call to malloc | test.cpp:842:3:842:20 | ... = ... |
+| test.cpp:848:20:848:37 | call to malloc | test.cpp:849:5:849:22 | ... = ... |
 nodes
-| test.cpp:4:15:4:20 | call to malloc | semmle.label | call to malloc |
+| test.cpp:4:15:4:33 | call to malloc | semmle.label | call to malloc |
 | test.cpp:5:15:5:22 | ... + ... | semmle.label | ... + ... |
 | test.cpp:5:15:5:22 | ... + ... | semmle.label | ... + ... |
 | test.cpp:6:14:6:15 | * ... | semmle.label | * ... |
 | test.cpp:6:14:6:15 | * ... | semmle.label | * ... |
 | test.cpp:8:14:8:21 | * ... | semmle.label | * ... |
-| test.cpp:16:15:16:20 | call to malloc | semmle.label | call to malloc |
+| test.cpp:16:15:16:33 | call to malloc | semmle.label | call to malloc |
 | test.cpp:20:14:20:21 | * ... | semmle.label | * ... |
-| test.cpp:28:15:28:20 | call to malloc | semmle.label | call to malloc |
+| test.cpp:28:15:28:37 | call to malloc | semmle.label | call to malloc |
 | test.cpp:29:15:29:28 | ... + ... | semmle.label | ... + ... |
 | test.cpp:29:15:29:28 | ... + ... | semmle.label | ... + ... |
 | test.cpp:30:14:30:15 | * ... | semmle.label | * ... |
 | test.cpp:30:14:30:15 | * ... | semmle.label | * ... |
 | test.cpp:32:14:32:21 | * ... | semmle.label | * ... |
-| test.cpp:40:15:40:20 | call to malloc | semmle.label | call to malloc |
-| test.cpp:41:15:41:28 | ... + ... | semmle.label | ... + ... |
-| test.cpp:41:15:41:28 | ... + ... | semmle.label | ... + ... |
-| test.cpp:42:14:42:15 | * ... | semmle.label | * ... |
-| test.cpp:42:14:42:15 | * ... | semmle.label | * ... |
-| test.cpp:44:14:44:21 | * ... | semmle.label | * ... |
 | test.cpp:51:33:51:35 | end | semmle.label | end |
-| test.cpp:52:19:52:24 | call to malloc | semmle.label | call to malloc |
+| test.cpp:52:19:52:37 | call to malloc | semmle.label | call to malloc |
 | test.cpp:53:5:53:23 | ... = ... | semmle.label | ... = ... |
 | test.cpp:53:12:53:23 | ... + ... | semmle.label | ... + ... |
 | test.cpp:60:34:60:37 | mk_array output argument | semmle.label | mk_array output argument |
@@ -313,7 +296,7 @@ nodes
 | test.cpp:781:14:781:27 | new[] | semmle.label | new[] |
 | test.cpp:786:18:786:27 | access to array | semmle.label | access to array |
 | test.cpp:792:60:792:62 | end | semmle.label | end |
-| test.cpp:793:14:793:19 | call to malloc | semmle.label | call to malloc |
+| test.cpp:793:14:793:32 | call to malloc | semmle.label | call to malloc |
 | test.cpp:794:5:794:24 | ... = ... | semmle.label | ... = ... |
 | test.cpp:794:12:794:24 | ... + ... | semmle.label | ... + ... |
 | test.cpp:800:40:800:43 | mk_array_no_field_flow output argument | semmle.label | mk_array_no_field_flow output argument |
@@ -323,16 +306,18 @@ nodes
 | test.cpp:821:7:821:12 | ... = ... | semmle.label | ... = ... |
 | test.cpp:832:40:832:43 | mk_array_no_field_flow output argument | semmle.label | mk_array_no_field_flow output argument |
 | test.cpp:833:37:833:39 | end | semmle.label | end |
+| test.cpp:841:18:841:35 | call to malloc | semmle.label | call to malloc |
+| test.cpp:842:3:842:20 | ... = ... | semmle.label | ... = ... |
+| test.cpp:848:20:848:37 | call to malloc | semmle.label | call to malloc |
+| test.cpp:849:5:849:22 | ... = ... | semmle.label | ... = ... |
 subpaths
 #select
-| test.cpp:6:14:6:15 | * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
-| test.cpp:8:14:8:21 | * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:8:14:8:21 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
-| test.cpp:20:14:20:21 | * ... | test.cpp:16:15:16:20 | call to malloc | test.cpp:20:14:20:21 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:16:15:16:20 | call to malloc | call to malloc | test.cpp:17:19:17:22 | size | size |
-| test.cpp:30:14:30:15 | * ... | test.cpp:28:15:28:20 | call to malloc | test.cpp:30:14:30:15 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:28:15:28:20 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
-| test.cpp:32:14:32:21 | * ... | test.cpp:28:15:28:20 | call to malloc | test.cpp:32:14:32:21 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:28:15:28:20 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
-| test.cpp:42:14:42:15 | * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:42:14:42:15 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
-| test.cpp:44:14:44:21 | * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:44:14:44:21 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
-| test.cpp:67:9:67:14 | ... = ... | test.cpp:52:19:52:24 | call to malloc | test.cpp:67:9:67:14 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:52:19:52:24 | call to malloc | call to malloc | test.cpp:53:20:53:23 | size | size |
+| test.cpp:6:14:6:15 | * ... | test.cpp:4:15:4:33 | call to malloc | test.cpp:6:14:6:15 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:33 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
+| test.cpp:8:14:8:21 | * ... | test.cpp:4:15:4:33 | call to malloc | test.cpp:8:14:8:21 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:4:15:4:33 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
+| test.cpp:20:14:20:21 | * ... | test.cpp:16:15:16:33 | call to malloc | test.cpp:20:14:20:21 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:16:15:16:33 | call to malloc | call to malloc | test.cpp:17:19:17:22 | size | size |
+| test.cpp:30:14:30:15 | * ... | test.cpp:28:15:28:37 | call to malloc | test.cpp:30:14:30:15 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:28:15:28:37 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
+| test.cpp:32:14:32:21 | * ... | test.cpp:28:15:28:37 | call to malloc | test.cpp:32:14:32:21 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:28:15:28:37 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
+| test.cpp:67:9:67:14 | ... = ... | test.cpp:52:19:52:37 | call to malloc | test.cpp:67:9:67:14 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:52:19:52:37 | call to malloc | call to malloc | test.cpp:53:20:53:23 | size | size |
 | test.cpp:201:5:201:19 | ... = ... | test.cpp:194:15:194:33 | call to malloc | test.cpp:201:5:201:19 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:194:15:194:33 | call to malloc | call to malloc | test.cpp:195:21:195:23 | len | len |
 | test.cpp:213:5:213:13 | ... = ... | test.cpp:205:15:205:33 | call to malloc | test.cpp:213:5:213:13 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:205:15:205:33 | call to malloc | call to malloc | test.cpp:206:21:206:23 | len | len |
 | test.cpp:232:3:232:20 | ... = ... | test.cpp:231:18:231:30 | new[] | test.cpp:232:3:232:20 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:231:18:231:30 | new[] | new[] | test.cpp:232:11:232:15 | index | index |
@@ -359,5 +344,7 @@ subpaths
 | test.cpp:772:16:772:29 | access to array | test.cpp:754:18:754:31 | new[] | test.cpp:772:16:772:29 | access to array | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:754:18:754:31 | new[] | new[] | test.cpp:767:22:767:28 | ... + ... | ... + ... |
 | test.cpp:772:16:772:29 | access to array | test.cpp:754:18:754:31 | new[] | test.cpp:772:16:772:29 | access to array | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:754:18:754:31 | new[] | new[] | test.cpp:772:22:772:28 | ... + ... | ... + ... |
 | test.cpp:786:18:786:27 | access to array | test.cpp:781:14:781:27 | new[] | test.cpp:786:18:786:27 | access to array | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:781:14:781:27 | new[] | new[] | test.cpp:786:20:786:26 | ... + ... | ... + ... |
-| test.cpp:807:7:807:12 | ... = ... | test.cpp:793:14:793:19 | call to malloc | test.cpp:807:7:807:12 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:793:14:793:19 | call to malloc | call to malloc | test.cpp:794:21:794:24 | size | size |
-| test.cpp:821:7:821:12 | ... = ... | test.cpp:793:14:793:19 | call to malloc | test.cpp:821:7:821:12 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:793:14:793:19 | call to malloc | call to malloc | test.cpp:794:21:794:24 | size | size |
+| test.cpp:807:7:807:12 | ... = ... | test.cpp:793:14:793:32 | call to malloc | test.cpp:807:7:807:12 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:793:14:793:32 | call to malloc | call to malloc | test.cpp:794:21:794:24 | size | size |
+| test.cpp:821:7:821:12 | ... = ... | test.cpp:793:14:793:32 | call to malloc | test.cpp:821:7:821:12 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:793:14:793:32 | call to malloc | call to malloc | test.cpp:794:21:794:24 | size | size |
+| test.cpp:842:3:842:20 | ... = ... | test.cpp:841:18:841:35 | call to malloc | test.cpp:842:3:842:20 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:841:18:841:35 | call to malloc | call to malloc | test.cpp:842:11:842:15 | index | index |
+| test.cpp:849:5:849:22 | ... = ... | test.cpp:848:20:848:37 | call to malloc | test.cpp:849:5:849:22 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:848:20:848:37 | call to malloc | call to malloc | test.cpp:849:13:849:17 | index | index |

cpp/ql/test/query-tests/Security/CWE/CWE-193/test.cpp

@@ -1,7 +1,7 @@
-char *malloc(int size);
+using size_t = decltype(sizeof 0); void* malloc(size_t size);
 
 void test1(int size) {
-    char* p = malloc(size);
+    char* p = (char*)malloc(size);
     char* q = p + size; // $ alloc=L4
     char a = *q; // $ deref=L6 // BAD
     char b = *(q - 1); // GOOD
@@ -13,7 +13,7 @@ void test1(int size) {
 }
 
 void test2(int size) {
-    char* p = malloc(size);
+    char* p = (char*)malloc(size);
     char* q = p + size - 1; // $ alloc=L16
     char a = *q; // GOOD
     char b = *(q - 1); // GOOD
@@ -25,7 +25,7 @@ void test2(int size) {
 }
 
 void test3(int size) {
-    char* p = malloc(size + 1);
+    char* p = (char*)malloc(size + 1);
     char* q = p + (size + 1); // $ alloc=L28+1
     char a = *q; // $ deref=L30 // BAD
     char b = *(q - 1); // GOOD
@@ -37,11 +37,11 @@ void test3(int size) {
 }
 
 void test4(int size) {
-    char* p = malloc(size - 1);
-    char* q = p + (size - 1); // $ alloc=L40-1
-    char a = *q; // $ deref=L42 // BAD
+    char* p = (char*)malloc(size - 1);
+    char* q = p + (size - 1); // $ MISSING: alloc=L40-1
+    char a = *q; // $ MISSING: deref=L42 // BAD [NOT DETECTED]
     char b = *(q - 1); // GOOD
-    char c = *(q + 1); // $ deref=L44+1 // BAD
+    char c = *(q + 1); // $ MISSING: deref=L44+1 // BAD [NOT DETECTED]
     char d = *(q + size); // BAD [NOT DETECTED]
     char e = *(q - size); // GOOD
     char f = *(q + size + 1); // BAD [NOT DETECTED]
@@ -49,7 +49,7 @@ void test4(int size) {
 }
 
 char* mk_array(int size, char** end) {
-    char* begin = malloc(size);
+    char* begin = (char*)malloc(size);
     *end = begin + size; // $ alloc=L52
 
     return begin;
@@ -79,7 +79,7 @@ struct array_t {
 
 array_t mk_array(int size) {
     array_t arr;
-    arr.begin = malloc(size);
+    arr.begin = (char*)malloc(size);
     arr.end = arr.begin + size; // $ MISSING: alloc=L82
 
     return arr;
@@ -121,7 +121,7 @@ void test7(int size) {
 
 void test8(int size) {
     array_t arr;
-    char* p = malloc(size);
+    char* p = (char*)malloc(size);
     arr.begin = p;
     arr.end = p + size; // $ alloc=L124
 
@@ -140,7 +140,7 @@ void test8(int size) {
 
 array_t *mk_array_p(int size) {
     array_t *arr = (array_t*) malloc(sizeof(array_t));
-    arr->begin = malloc(size);
+    arr->begin = (char*)malloc(size);
     arr->end = arr->begin + size; // $ MISSING: alloc=L143
 
     return arr;
@@ -185,7 +185,7 @@ void deref_plus_one(char* q) {
 }
 
 void test11(unsigned size) {
-    char *p = malloc(size);
+    char *p = (char*)malloc(size);
     char *q = p + size - 1; // $ alloc=L188
     deref_plus_one(q);
 }
@@ -215,7 +215,7 @@ void test13(unsigned len, unsigned index) {
 
 bool unknown();
 
-void test14(unsigned long n, char *p) {
+void test14(size_t n, char *p) {
   while (unknown()) {
     n++;
     p = (char *)malloc(n);
@@ -706,7 +706,7 @@ void deref(char* q) {
   char x = *q; // $ deref=L714->L705->L706 // BAD
 }
 
-void test35(unsigned long size, char* q)
+void test35(size_t size, char* q)
 {
   char* p = new char[size];
   char* end = p + size; // $ alloc=L711
@@ -734,10 +734,10 @@ void test36(unsigned size, unsigned n) {
   }
 }
 
-void test37(unsigned long n)
+void test37(size_t n)
 {
   int *p = new int[n];
-  for (unsigned long i = n; i != 0u; i--)
+  for (size_t i = n; i != 0u; i--)
   {
     p[n - i] = 0; // GOOD
   }
@@ -790,7 +790,7 @@ void test38_simple(unsigned size, unsigned pos, unsigned numParams) {
 }
 
 void mk_array_no_field_flow(int size, char** begin, char** end) {
-    *begin = malloc(size);
+    *begin = (char*)malloc(size);
     *end = *begin + size; // $ alloc=L793
 }
 
@@ -832,3 +832,20 @@ void test7_no_field_flow(int size) {
   mk_array_no_field_flow(size, &begin, &end);
   test7_callee_no_field_flow(begin, end);
 }
+
+void test15_with_malloc(size_t index) {
+  size_t size = index + 13;
+  if(size < index) {
+    return;
+  }
+  int* newname = (int*)malloc(size);
+  newname[index] = 0; // $ SPURIOUS: alloc=L841 deref=L842 // GOOD [FALSE POSITIVE]
+}
+
+void test16_with_malloc(size_t index) {
+  size_t size = index + 13;
+  if(size >= index) {
+    int* newname = (int*)malloc(size);
+    newname[index] = 0; // $ SPURIOUS: alloc=L848 deref=L849 // GOOD [FALSE POSITIVE]
+  }
+}