C++: Test field conflation with array in struct

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected

@@ -1,4 +1,13 @@
 edges
+| field_conflation.c:12:22:12:27 | call to getenv | field_conflation.c:13:10:13:25 | Chi |
+| field_conflation.c:12:22:12:34 | (const char *)... | field_conflation.c:13:10:13:25 | Chi |
+| field_conflation.c:13:10:13:25 | Chi | field_conflation.c:19:15:19:17 | taint_array output argument |
+| field_conflation.c:19:15:19:17 | taint_array output argument | field_conflation.c:20:10:20:13 | (unsigned long)... |
+| field_conflation.c:19:15:19:17 | taint_array output argument | field_conflation.c:20:13:20:13 | x |
+| field_conflation.c:19:15:19:17 | taint_array output argument | field_conflation.c:20:13:20:13 | x |
+| field_conflation.c:19:15:19:17 | taint_array output argument | field_conflation.c:20:13:20:13 | x |
+| field_conflation.c:20:13:20:13 | x | field_conflation.c:20:10:20:13 | (unsigned long)... |
+| field_conflation.c:20:13:20:13 | x | field_conflation.c:20:13:20:13 | x |
 | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | (size_t)... |
 | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | (size_t)... |
 | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
@@ -60,6 +69,15 @@ edges
 | test.cpp:235:11:235:20 | (size_t)... | test.cpp:214:23:214:23 | s |
 | test.cpp:237:10:237:19 | (size_t)... | test.cpp:220:21:220:21 | s |
 nodes
+| field_conflation.c:12:22:12:27 | call to getenv | semmle.label | call to getenv |
+| field_conflation.c:12:22:12:34 | (const char *)... | semmle.label | (const char *)... |
+| field_conflation.c:13:10:13:25 | Chi | semmle.label | Chi |
+| field_conflation.c:19:15:19:17 | taint_array output argument | semmle.label | taint_array output argument |
+| field_conflation.c:20:10:20:13 | (unsigned long)... | semmle.label | (unsigned long)... |
+| field_conflation.c:20:10:20:13 | (unsigned long)... | semmle.label | (unsigned long)... |
+| field_conflation.c:20:13:20:13 | x | semmle.label | x |
+| field_conflation.c:20:13:20:13 | x | semmle.label | x |
+| field_conflation.c:20:13:20:13 | x | semmle.label | x |
 | test.cpp:39:21:39:24 | argv | semmle.label | argv |
 | test.cpp:39:21:39:24 | argv | semmle.label | argv |
 | test.cpp:42:38:42:44 | (size_t)... | semmle.label | (size_t)... |
@@ -123,6 +141,7 @@ nodes
 | test.cpp:235:11:235:20 | (size_t)... | semmle.label | (size_t)... |
 | test.cpp:237:10:237:19 | (size_t)... | semmle.label | (size_t)... |
 #select
+| field_conflation.c:20:3:20:8 | call to malloc | field_conflation.c:12:22:12:27 | call to getenv | field_conflation.c:20:13:20:13 | x | This allocation size is derived from $@ and might overflow | field_conflation.c:12:22:12:27 | call to getenv | user input (getenv) |
 | test.cpp:42:31:42:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:43:31:43:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:45:31:45:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/field_conflation.c

@@ -0,0 +1,21 @@
+int atoi(const char *nptr);
+void *malloc(unsigned long size);
+char *getenv(const char *name);
+void *memcpy(void *dst, void *src, unsigned long size);
+
+struct ContainsArray {
+  int arr[16];
+  int x;
+};
+
+void taint_array(struct ContainsArray *ca, int offset) {
+  int tainted = atoi(getenv("VAR"));
+  memcpy(ca->arr + offset, &tainted, sizeof(int));
+}
+
+void test_conflated_fields3(int arbitrary) {
+  struct ContainsArray ca;
+  ca.x = 4;
+  taint_array(&ca, arbitrary);
+  malloc(ca.x); // not tainted [FALSE POSITIVE]
+}