hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into weak_crypto

Browse Source
This commit is contained in:
Geoffrey White
2021-05-19 11:19:08 +01:00
parent e985204a62 c793ac933a
commit aaae717328
138 changed files with 5341 additions and 660 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
View File

@@ -586,6 +586,23 @@ void test21(bool cond)
if (ptr[-1] == 0) { return; } // GOOD: accesses buffer[1]
}
void test22(bool b, const char* source) {
char buffer[16];
int k;
for (k = 0; k <= 100; k++) {
if(k < 16) {
buffer[k] = 'x'; // GOOD
}
}
char dest[128];
int n = b ? 1024 : 132;
if (n >= 128) {
return;
}
memcpy(dest, source, n); // GOOD
}
int main(int argc, char *argv[])
{
long long arr17[19];
@@ -609,6 +626,7 @@ int main(int argc, char *argv[])
test19(argc == 0);
test20();
test21(argc == 0);
test22(argc == 0, argv[0]);
return 0;
}

396
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
View File

@@ -1,228 +1,174 @@
edges
| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | (size_t)... |
| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | (size_t)... |
| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
| test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... |
| test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... |
| test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... |
| test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... |
| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | (size_t)... |
| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | (size_t)... |
| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
| test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
| test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
| test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
| test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
| test.cpp:75:25:75:29 | start | test.cpp:79:18:79:28 | ... - ... |
| test.cpp:75:25:75:29 | start | test.cpp:79:18:79:28 | ... - ... |
| test.cpp:75:38:75:40 | end | test.cpp:79:18:79:28 | ... - ... |
| test.cpp:75:38:75:40 | end | test.cpp:79:18:79:28 | ... - ... |
| test.cpp:97:18:97:23 | buffer | test.cpp:100:4:100:15 | buffer |
| test.cpp:97:18:97:23 | buffer | test.cpp:100:17:100:22 | buffer indirection |
| test.cpp:97:18:97:23 | buffer | test.cpp:101:4:101:15 | ... + ... |
| test.cpp:97:18:97:23 | buffer | test.cpp:101:4:101:15 | buffer |
| test.cpp:97:18:97:23 | fread output argument | test.cpp:100:4:100:15 | buffer |
| test.cpp:97:18:97:23 | fread output argument | test.cpp:100:17:100:22 | buffer indirection |
| test.cpp:97:18:97:23 | fread output argument | test.cpp:101:4:101:15 | ... + ... |
| test.cpp:97:18:97:23 | fread output argument | test.cpp:101:4:101:15 | buffer |
| test.cpp:100:4:100:15 | buffer | test.cpp:100:17:100:22 | processData1 output argument |
| test.cpp:100:17:100:22 | buffer indirection | test.cpp:100:17:100:22 | processData1 output argument |
| test.cpp:100:17:100:22 | processData1 output argument | test.cpp:101:4:101:15 | ... + ... |
| test.cpp:100:17:100:22 | processData1 output argument | test.cpp:101:4:101:15 | buffer |
| test.cpp:101:4:101:15 | ... + ... | test.cpp:75:38:75:40 | end |
| test.cpp:101:4:101:15 | buffer | test.cpp:75:25:75:29 | start |
| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... |
| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... |
| test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... |
| test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... |
| test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:27 | ... * ... |
| test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:27 | ... * ... |
| test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... |
| test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... |
| test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:28 | ... * ... |
| test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:28 | ... * ... |
| test.cpp:201:9:201:42 | Store | test.cpp:231:9:231:24 | call to get_tainted_size |
| test.cpp:201:9:201:42 | Store | test.cpp:231:9:231:24 | call to get_tainted_size |
| test.cpp:201:14:201:19 | call to getenv | test.cpp:201:9:201:42 | Store |
| test.cpp:201:14:201:27 | (const char *)... | test.cpp:201:9:201:42 | Store |
| test.cpp:214:23:214:23 | s | test.cpp:215:21:215:21 | s |
| test.cpp:214:23:214:23 | s | test.cpp:215:21:215:21 | s |
| test.cpp:220:21:220:21 | s | test.cpp:221:21:221:21 | s |
| test.cpp:220:21:220:21 | s | test.cpp:221:21:221:21 | s |
| test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | (size_t)... |
| test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size |
| test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size |
| test.cpp:227:24:227:29 | call to getenv | test.cpp:235:2:235:9 | local_size |
| test.cpp:227:24:227:29 | call to getenv | test.cpp:237:2:237:8 | local_size |
| test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | (size_t)... |
| test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | local_size |
| test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | local_size |
| test.cpp:227:24:227:37 | (const char *)... | test.cpp:235:2:235:9 | local_size |
| test.cpp:227:24:227:37 | (const char *)... | test.cpp:237:2:237:8 | local_size |
| test.cpp:235:2:235:9 | local_size | test.cpp:214:23:214:23 | s |
| test.cpp:237:2:237:8 | local_size | test.cpp:220:21:220:21 | s |
| test.cpp:241:2:241:32 | Chi [array content] | test.cpp:279:17:279:20 | get_size output argument [array content] |
| test.cpp:241:2:241:32 | Chi [array content] | test.cpp:295:18:295:21 | get_size output argument [array content] |
| test.cpp:241:18:241:23 | call to getenv | test.cpp:241:2:241:32 | Chi [array content] |
| test.cpp:241:18:241:31 | (const char *)... | test.cpp:241:2:241:32 | Chi [array content] |
| test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... |
| test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... |
| test.cpp:249:20:249:33 | (const char *)... | test.cpp:253:11:253:29 | ... * ... |
| test.cpp:249:20:249:33 | (const char *)... | test.cpp:253:11:253:29 | ... * ... |
| test.cpp:279:17:279:20 | Chi | test.cpp:281:11:281:28 | ... * ... |
| test.cpp:279:17:279:20 | Chi | test.cpp:281:11:281:28 | ... * ... |
| test.cpp:279:17:279:20 | get_size output argument [array content] | test.cpp:279:17:279:20 | Chi |
| test.cpp:295:18:295:21 | Chi | test.cpp:298:10:298:27 | ... * ... |
| test.cpp:295:18:295:21 | Chi | test.cpp:298:10:298:27 | ... * ... |
| test.cpp:295:18:295:21 | get_size output argument [array content] | test.cpp:295:18:295:21 | Chi |
| test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... |
| test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... |
| test.cpp:301:19:301:32 | (const char *)... | test.cpp:305:11:305:28 | ... * ... |
| test.cpp:301:19:301:32 | (const char *)... | test.cpp:305:11:305:28 | ... * ... |
| test.cpp:309:19:309:24 | call to getenv | test.cpp:314:10:314:27 | ... * ... |
| test.cpp:309:19:309:24 | call to getenv | test.cpp:314:10:314:27 | ... * ... |
| test.cpp:309:19:309:32 | (const char *)... | test.cpp:314:10:314:27 | ... * ... |
| test.cpp:309:19:309:32 | (const char *)... | test.cpp:314:10:314:27 | ... * ... |
| test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | (size_t)... |
| test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | (size_t)... |
| test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | tainted |
| test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | tainted |
| test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | tainted |
| test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | tainted |
| test.cpp:40:21:40:24 | argv | test.cpp:44:38:44:63 | ... * ... |
| test.cpp:40:21:40:24 | argv | test.cpp:44:38:44:63 | ... * ... |
| test.cpp:40:21:40:24 | argv | test.cpp:44:38:44:63 | ... * ... |
| test.cpp:40:21:40:24 | argv | test.cpp:44:38:44:63 | ... * ... |
| test.cpp:40:21:40:24 | argv | test.cpp:46:38:46:63 | ... + ... |
| test.cpp:40:21:40:24 | argv | test.cpp:46:38:46:63 | ... + ... |
| test.cpp:40:21:40:24 | argv | test.cpp:46:38:46:63 | ... + ... |
| test.cpp:40:21:40:24 | argv | test.cpp:46:38:46:63 | ... + ... |
| test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | (size_t)... |
| test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | (size_t)... |
| test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | size |
| test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | size |
| test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | size |
| test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | size |
| test.cpp:40:21:40:24 | argv | test.cpp:50:26:50:29 | size |
| test.cpp:40:21:40:24 | argv | test.cpp:50:26:50:29 | size |
| test.cpp:40:21:40:24 | argv | test.cpp:50:26:50:29 | size |
| test.cpp:40:21:40:24 | argv | test.cpp:50:26:50:29 | size |
| test.cpp:40:21:40:24 | argv | test.cpp:53:35:53:60 | ... * ... |
| test.cpp:40:21:40:24 | argv | test.cpp:53:35:53:60 | ... * ... |
| test.cpp:40:21:40:24 | argv | test.cpp:53:35:53:60 | ... * ... |
| test.cpp:40:21:40:24 | argv | test.cpp:53:35:53:60 | ... * ... |
| test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... |
| test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... |
| test.cpp:124:18:124:31 | (const char *)... | test.cpp:128:24:128:41 | ... * ... |
| test.cpp:124:18:124:31 | (const char *)... | test.cpp:128:24:128:41 | ... * ... |
| test.cpp:133:19:133:24 | call to getenv | test.cpp:135:10:135:27 | ... * ... |
| test.cpp:133:19:133:24 | call to getenv | test.cpp:135:10:135:27 | ... * ... |
| test.cpp:133:19:133:32 | (const char *)... | test.cpp:135:10:135:27 | ... * ... |
| test.cpp:133:19:133:32 | (const char *)... | test.cpp:135:10:135:27 | ... * ... |
| test.cpp:148:20:148:25 | call to getenv | test.cpp:152:11:152:28 | ... * ... |
| test.cpp:148:20:148:25 | call to getenv | test.cpp:152:11:152:28 | ... * ... |
| test.cpp:148:20:148:33 | (const char *)... | test.cpp:152:11:152:28 | ... * ... |
| test.cpp:148:20:148:33 | (const char *)... | test.cpp:152:11:152:28 | ... * ... |
| test.cpp:211:9:211:42 | Store | test.cpp:241:9:241:24 | call to get_tainted_size |
| test.cpp:211:9:211:42 | Store | test.cpp:241:9:241:24 | call to get_tainted_size |
| test.cpp:211:14:211:19 | call to getenv | test.cpp:211:9:211:42 | Store |
| test.cpp:211:14:211:27 | (const char *)... | test.cpp:211:9:211:42 | Store |
| test.cpp:224:23:224:23 | s | test.cpp:225:21:225:21 | s |
| test.cpp:224:23:224:23 | s | test.cpp:225:21:225:21 | s |
| test.cpp:230:21:230:21 | s | test.cpp:231:21:231:21 | s |
| test.cpp:230:21:230:21 | s | test.cpp:231:21:231:21 | s |
| test.cpp:237:24:237:29 | call to getenv | test.cpp:239:9:239:18 | (size_t)... |
| test.cpp:237:24:237:29 | call to getenv | test.cpp:239:9:239:18 | local_size |
| test.cpp:237:24:237:29 | call to getenv | test.cpp:239:9:239:18 | local_size |
| test.cpp:237:24:237:29 | call to getenv | test.cpp:245:2:245:9 | local_size |
| test.cpp:237:24:237:29 | call to getenv | test.cpp:247:2:247:8 | local_size |
| test.cpp:237:24:237:37 | (const char *)... | test.cpp:239:9:239:18 | (size_t)... |
| test.cpp:237:24:237:37 | (const char *)... | test.cpp:239:9:239:18 | local_size |
| test.cpp:237:24:237:37 | (const char *)... | test.cpp:239:9:239:18 | local_size |
| test.cpp:237:24:237:37 | (const char *)... | test.cpp:245:2:245:9 | local_size |
| test.cpp:237:24:237:37 | (const char *)... | test.cpp:247:2:247:8 | local_size |
| test.cpp:245:2:245:9 | local_size | test.cpp:224:23:224:23 | s |
| test.cpp:247:2:247:8 | local_size | test.cpp:230:21:230:21 | s |
| test.cpp:251:2:251:32 | Chi [array content] | test.cpp:289:17:289:20 | get_size output argument [array content] |
| test.cpp:251:2:251:32 | Chi [array content] | test.cpp:305:18:305:21 | get_size output argument [array content] |
| test.cpp:251:18:251:23 | call to getenv | test.cpp:251:2:251:32 | Chi [array content] |
| test.cpp:251:18:251:31 | (const char *)... | test.cpp:251:2:251:32 | Chi [array content] |
| test.cpp:259:20:259:25 | call to getenv | test.cpp:263:11:263:29 | ... * ... |
| test.cpp:259:20:259:25 | call to getenv | test.cpp:263:11:263:29 | ... * ... |
| test.cpp:259:20:259:33 | (const char *)... | test.cpp:263:11:263:29 | ... * ... |
| test.cpp:259:20:259:33 | (const char *)... | test.cpp:263:11:263:29 | ... * ... |
| test.cpp:289:17:289:20 | Chi | test.cpp:291:11:291:28 | ... * ... |
| test.cpp:289:17:289:20 | Chi | test.cpp:291:11:291:28 | ... * ... |
| test.cpp:289:17:289:20 | get_size output argument [array content] | test.cpp:289:17:289:20 | Chi |
| test.cpp:305:18:305:21 | Chi | test.cpp:308:10:308:27 | ... * ... |
| test.cpp:305:18:305:21 | Chi | test.cpp:308:10:308:27 | ... * ... |
| test.cpp:305:18:305:21 | get_size output argument [array content] | test.cpp:305:18:305:21 | Chi |
nodes
| test.cpp:39:21:39:24 | argv | semmle.label | argv |
| test.cpp:39:21:39:24 | argv | semmle.label | argv |
| test.cpp:42:38:42:44 | (size_t)... | semmle.label | (size_t)... |
| test.cpp:42:38:42:44 | (size_t)... | semmle.label | (size_t)... |
| test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
| test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
| test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
| test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
| test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
| test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
| test.cpp:45:38:45:63 | ... + ... | semmle.label | ... + ... |
| test.cpp:45:38:45:63 | ... + ... | semmle.label | ... + ... |
| test.cpp:45:38:45:63 | ... + ... | semmle.label | ... + ... |
| test.cpp:48:32:48:35 | (size_t)... | semmle.label | (size_t)... |
| test.cpp:48:32:48:35 | (size_t)... | semmle.label | (size_t)... |
| test.cpp:48:32:48:35 | size | semmle.label | size |
| test.cpp:48:32:48:35 | size | semmle.label | size |
| test.cpp:48:32:48:35 | size | semmle.label | size |
| test.cpp:49:26:49:29 | size | semmle.label | size |
| test.cpp:49:26:49:29 | size | semmle.label | size |
| test.cpp:49:26:49:29 | size | semmle.label | size |
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
| test.cpp:64:25:64:30 | *buffer | semmle.label | *buffer |
| test.cpp:64:25:64:30 | *buffer | semmle.label | *buffer |
| test.cpp:64:25:64:30 | buffer | semmle.label | buffer |
| test.cpp:75:25:75:29 | start | semmle.label | start |
| test.cpp:75:38:75:40 | end | semmle.label | end |
| test.cpp:79:18:79:28 | ... - ... | semmle.label | ... - ... |
| test.cpp:79:18:79:28 | ... - ... | semmle.label | ... - ... |
| test.cpp:79:18:79:28 | ... - ... | semmle.label | ... - ... |
| test.cpp:97:18:97:23 | buffer | semmle.label | buffer |
| test.cpp:97:18:97:23 | fread output argument | semmle.label | fread output argument |
| test.cpp:100:4:100:15 | buffer | semmle.label | buffer |
| test.cpp:100:17:100:22 | buffer indirection | semmle.label | buffer indirection |
| test.cpp:100:17:100:22 | processData1 output argument | semmle.label | processData1 output argument |
| test.cpp:101:4:101:15 | ... + ... | semmle.label | ... + ... |
| test.cpp:101:4:101:15 | buffer | semmle.label | buffer |
| test.cpp:123:18:123:23 | call to getenv | semmle.label | call to getenv |
| test.cpp:123:18:123:31 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
| test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
| test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
| test.cpp:132:19:132:24 | call to getenv | semmle.label | call to getenv |
| test.cpp:132:19:132:32 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:138:19:138:24 | call to getenv | semmle.label | call to getenv |
| test.cpp:138:19:138:32 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:201:9:201:42 | Store | semmle.label | Store |
| test.cpp:201:14:201:19 | call to getenv | semmle.label | call to getenv |
| test.cpp:201:14:201:27 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:214:23:214:23 | s | semmle.label | s |
| test.cpp:215:21:215:21 | s | semmle.label | s |
| test.cpp:215:21:215:21 | s | semmle.label | s |
| test.cpp:215:21:215:21 | s | semmle.label | s |
| test.cpp:220:21:220:21 | s | semmle.label | s |
| test.cpp:221:21:221:21 | s | semmle.label | s |
| test.cpp:221:21:221:21 | s | semmle.label | s |
| test.cpp:221:21:221:21 | s | semmle.label | s |
| test.cpp:227:24:227:29 | call to getenv | semmle.label | call to getenv |
| test.cpp:227:24:227:37 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:229:9:229:18 | (size_t)... | semmle.label | (size_t)... |
| test.cpp:229:9:229:18 | (size_t)... | semmle.label | (size_t)... |
| test.cpp:229:9:229:18 | local_size | semmle.label | local_size |
| test.cpp:229:9:229:18 | local_size | semmle.label | local_size |
| test.cpp:229:9:229:18 | local_size | semmle.label | local_size |
| test.cpp:231:9:231:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
| test.cpp:231:9:231:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
| test.cpp:231:9:231:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
| test.cpp:235:2:235:9 | local_size | semmle.label | local_size |
| test.cpp:237:2:237:8 | local_size | semmle.label | local_size |
| test.cpp:241:2:241:32 | Chi [array content] | semmle.label | Chi [array content] |
| test.cpp:241:2:241:32 | ChiPartial | semmle.label | ChiPartial |
| test.cpp:241:18:241:23 | call to getenv | semmle.label | call to getenv |
| test.cpp:241:18:241:31 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:249:20:249:25 | call to getenv | semmle.label | call to getenv |
| test.cpp:249:20:249:33 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
| test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
| test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
| test.cpp:279:17:279:20 | Chi | semmle.label | Chi |
| test.cpp:279:17:279:20 | get_size output argument [array content] | semmle.label | get_size output argument [array content] |
| test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:295:18:295:21 | Chi | semmle.label | Chi |
| test.cpp:295:18:295:21 | get_size output argument [array content] | semmle.label | get_size output argument [array content] |
| test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:301:19:301:24 | call to getenv | semmle.label | call to getenv |
| test.cpp:301:19:301:32 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:305:11:305:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:305:11:305:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:305:11:305:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:309:19:309:24 | call to getenv | semmle.label | call to getenv |
| test.cpp:309:19:309:32 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:314:10:314:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:314:10:314:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:314:10:314:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:40:21:40:24 | argv | semmle.label | argv |
| test.cpp:40:21:40:24 | argv | semmle.label | argv |
| test.cpp:43:38:43:44 | (size_t)... | semmle.label | (size_t)... |
| test.cpp:43:38:43:44 | (size_t)... | semmle.label | (size_t)... |
| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
| test.cpp:44:38:44:63 | ... * ... | semmle.label | ... * ... |
| test.cpp:44:38:44:63 | ... * ... | semmle.label | ... * ... |
| test.cpp:44:38:44:63 | ... * ... | semmle.label | ... * ... |
| test.cpp:46:38:46:63 | ... + ... | semmle.label | ... + ... |
| test.cpp:46:38:46:63 | ... + ... | semmle.label | ... + ... |
| test.cpp:46:38:46:63 | ... + ... | semmle.label | ... + ... |
| test.cpp:49:32:49:35 | (size_t)... | semmle.label | (size_t)... |
| test.cpp:49:32:49:35 | (size_t)... | semmle.label | (size_t)... |
| test.cpp:49:32:49:35 | size | semmle.label | size |
| test.cpp:49:32:49:35 | size | semmle.label | size |
| test.cpp:49:32:49:35 | size | semmle.label | size |
| test.cpp:50:26:50:29 | size | semmle.label | size |
| test.cpp:50:26:50:29 | size | semmle.label | size |
| test.cpp:50:26:50:29 | size | semmle.label | size |
| test.cpp:53:35:53:60 | ... * ... | semmle.label | ... * ... |
| test.cpp:53:35:53:60 | ... * ... | semmle.label | ... * ... |
| test.cpp:53:35:53:60 | ... * ... | semmle.label | ... * ... |
| test.cpp:124:18:124:23 | call to getenv | semmle.label | call to getenv |
| test.cpp:124:18:124:31 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:128:24:128:41 | ... * ... | semmle.label | ... * ... |
| test.cpp:128:24:128:41 | ... * ... | semmle.label | ... * ... |
| test.cpp:128:24:128:41 | ... * ... | semmle.label | ... * ... |
| test.cpp:133:19:133:24 | call to getenv | semmle.label | call to getenv |
| test.cpp:133:19:133:32 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:135:10:135:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:135:10:135:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:135:10:135:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:148:20:148:25 | call to getenv | semmle.label | call to getenv |
| test.cpp:148:20:148:33 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:152:11:152:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:152:11:152:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:152:11:152:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:211:9:211:42 | Store | semmle.label | Store |
| test.cpp:211:14:211:19 | call to getenv | semmle.label | call to getenv |
| test.cpp:211:14:211:27 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:224:23:224:23 | s | semmle.label | s |
| test.cpp:225:21:225:21 | s | semmle.label | s |
| test.cpp:225:21:225:21 | s | semmle.label | s |
| test.cpp:225:21:225:21 | s | semmle.label | s |
| test.cpp:230:21:230:21 | s | semmle.label | s |
| test.cpp:231:21:231:21 | s | semmle.label | s |
| test.cpp:231:21:231:21 | s | semmle.label | s |
| test.cpp:231:21:231:21 | s | semmle.label | s |
| test.cpp:237:24:237:29 | call to getenv | semmle.label | call to getenv |
| test.cpp:237:24:237:37 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:239:9:239:18 | (size_t)... | semmle.label | (size_t)... |
| test.cpp:239:9:239:18 | (size_t)... | semmle.label | (size_t)... |
| test.cpp:239:9:239:18 | local_size | semmle.label | local_size |
| test.cpp:239:9:239:18 | local_size | semmle.label | local_size |
| test.cpp:239:9:239:18 | local_size | semmle.label | local_size |
| test.cpp:241:9:241:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
| test.cpp:241:9:241:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
| test.cpp:241:9:241:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
| test.cpp:245:2:245:9 | local_size | semmle.label | local_size |
| test.cpp:247:2:247:8 | local_size | semmle.label | local_size |
| test.cpp:251:2:251:32 | Chi [array content] | semmle.label | Chi [array content] |
| test.cpp:251:2:251:32 | ChiPartial | semmle.label | ChiPartial |
| test.cpp:251:18:251:23 | call to getenv | semmle.label | call to getenv |
| test.cpp:251:18:251:31 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:259:20:259:25 | call to getenv | semmle.label | call to getenv |
| test.cpp:259:20:259:33 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:263:11:263:29 | ... * ... | semmle.label | ... * ... |
| test.cpp:263:11:263:29 | ... * ... | semmle.label | ... * ... |
| test.cpp:263:11:263:29 | ... * ... | semmle.label | ... * ... |
| test.cpp:289:17:289:20 | Chi | semmle.label | Chi |
| test.cpp:289:17:289:20 | get_size output argument [array content] | semmle.label | get_size output argument [array content] |
| test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:305:18:305:21 | Chi | semmle.label | Chi |
| test.cpp:305:18:305:21 | get_size output argument [array content] | semmle.label | get_size output argument [array content] |
| test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
#select
| test.cpp:42:31:42:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
| test.cpp:45:31:45:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
| test.cpp:48:25:48:30 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
| test.cpp:49:17:49:30 | new[] | test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
| test.cpp:52:21:52:27 | call to realloc | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
| test.cpp:79:9:79:29 | new[] | test.cpp:97:18:97:23 | buffer | test.cpp:79:18:79:28 | ... - ... | This allocation size is derived from $@ and might overflow | test.cpp:97:18:97:23 | buffer | user input (fread) |
| test.cpp:127:17:127:22 | call to malloc | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:123:18:123:23 | call to getenv | user input (getenv) |
| test.cpp:134:3:134:8 | call to malloc | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) |
| test.cpp:142:4:142:9 | call to malloc | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:138:19:138:24 | call to getenv | user input (getenv) |
| test.cpp:215:14:215:19 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:215:21:215:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
| test.cpp:221:14:221:19 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:221:21:221:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
| test.cpp:229:2:229:7 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
| test.cpp:231:2:231:7 | call to malloc | test.cpp:201:14:201:19 | call to getenv | test.cpp:231:9:231:24 | call to get_tainted_size | This allocation size is derived from $@ and might overflow | test.cpp:201:14:201:19 | call to getenv | user input (getenv) |
| test.cpp:253:4:253:9 | call to malloc | test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:249:20:249:25 | call to getenv | user input (getenv) |
| test.cpp:281:4:281:9 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:281:11:281:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
| test.cpp:298:3:298:8 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:298:10:298:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
| test.cpp:305:4:305:9 | call to malloc | test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:301:19:301:24 | call to getenv | user input (getenv) |
| test.cpp:314:3:314:8 | call to malloc | test.cpp:309:19:309:24 | call to getenv | test.cpp:314:10:314:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:309:19:309:24 | call to getenv | user input (getenv) |
| test.cpp:43:31:43:36 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (argv) |
| test.cpp:44:31:44:36 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (argv) |
| test.cpp:46:31:46:36 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (argv) |
| test.cpp:49:25:49:30 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (argv) |
| test.cpp:50:17:50:30 | new[] | test.cpp:40:21:40:24 | argv | test.cpp:50:26:50:29 | size | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (argv) |
| test.cpp:53:21:53:27 | call to realloc | test.cpp:40:21:40:24 | argv | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (argv) |
| test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:124:18:124:23 | call to getenv | user input (getenv) |
| test.cpp:135:3:135:8 | call to malloc | test.cpp:133:19:133:24 | call to getenv | test.cpp:135:10:135:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:133:19:133:24 | call to getenv | user input (getenv) |
| test.cpp:152:4:152:9 | call to malloc | test.cpp:148:20:148:25 | call to getenv | test.cpp:152:11:152:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:148:20:148:25 | call to getenv | user input (getenv) |
| test.cpp:225:14:225:19 | call to malloc | test.cpp:237:24:237:29 | call to getenv | test.cpp:225:21:225:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:237:24:237:29 | call to getenv | user input (getenv) |
| test.cpp:231:14:231:19 | call to malloc | test.cpp:237:24:237:29 | call to getenv | test.cpp:231:21:231:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:237:24:237:29 | call to getenv | user input (getenv) |
| test.cpp:239:2:239:7 | call to malloc | test.cpp:237:24:237:29 | call to getenv | test.cpp:239:9:239:18 | local_size | This allocation size is derived from $@ and might overflow | test.cpp:237:24:237:29 | call to getenv | user input (getenv) |
| test.cpp:241:2:241:7 | call to malloc | test.cpp:211:14:211:19 | call to getenv | test.cpp:241:9:241:24 | call to get_tainted_size | This allocation size is derived from $@ and might overflow | test.cpp:211:14:211:19 | call to getenv | user input (getenv) |
| test.cpp:263:4:263:9 | call to malloc | test.cpp:259:20:259:25 | call to getenv | test.cpp:263:11:263:29 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:259:20:259:25 | call to getenv | user input (getenv) |
| test.cpp:291:4:291:9 | call to malloc | test.cpp:251:18:251:23 | call to getenv | test.cpp:291:11:291:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:251:18:251:23 | call to getenv | user input (getenv) |
| test.cpp:308:3:308:8 | call to malloc | test.cpp:251:18:251:23 | call to getenv | test.cpp:308:10:308:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:251:18:251:23 | call to getenv | user input (getenv) |

25
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
View File

@@ -7,6 +7,7 @@ void *malloc(size_t size);
void *realloc(void *ptr, size_t size);
void free(void *ptr);
int atoi(const char *nptr);
long atol(const char *nptr);
struct MyStruct
{
char data[256];
@@ -76,7 +77,7 @@ void processData2(char *start, char *end)
{
char *copy;
copy = new char[end - start]; // GOOD [FALSE POSITIVE]
copy = new char[end - start]; // GOOD
// ...
@@ -137,6 +138,15 @@ void more_bounded_tests() {
{
int size = atoi(getenv("USER"));
if (size > 0)
{
malloc(size * sizeof(int)); // GOOD (overflow not possible)
}
}
{
long size = atol(getenv("USER"));
if (size > 0)
{
malloc(size * sizeof(int)); // BAD
@@ -302,7 +312,7 @@ void equality_cases() {
if ((size == 50) || (size == 100))
{
malloc(size * sizeof(int)); // GOOD [FALSE POSITIVE]
malloc(size * sizeof(int)); // GOOD
}
}
{
@@ -311,6 +321,15 @@ void equality_cases() {
if (size != 50 && size != 100)
return;
malloc(size * sizeof(int)); // GOOD [FALSE POSITIVE]
malloc(size * sizeof(int)); // GOOD
}
}
char * strstr(char *, const char *);
void ptr_diff_case() {
char* user = getenv("USER");
char* admin_begin_pos = strstr(user, "ADMIN");
int offset = admin_begin_pos ? user - admin_begin_pos : 0;
malloc(offset); // GOOD
}

46
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
View File

@@ -7,30 +7,10 @@ edges
| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
@@ -67,34 +47,11 @@ nodes
| test.c:35:5:35:5 | r | semmle.label | r |
| test.c:35:5:35:5 | r | semmle.label | r |
| test.c:35:5:35:5 | r | semmle.label | r |
| test.c:39:13:39:21 | ... % ... | semmle.label | ... % ... |
| test.c:39:13:39:21 | ... % ... | semmle.label | ... % ... |
| test.c:40:5:40:5 | r | semmle.label | r |
| test.c:40:5:40:5 | r | semmle.label | r |
| test.c:40:5:40:5 | r | semmle.label | r |
| test.c:44:13:44:16 | call to rand | semmle.label | call to rand |
| test.c:44:13:44:16 | call to rand | semmle.label | call to rand |
| test.c:45:5:45:5 | r | semmle.label | r |
| test.c:45:5:45:5 | r | semmle.label | r |
| test.c:45:5:45:5 | r | semmle.label | r |
| test.c:54:13:54:16 | call to rand | semmle.label | call to rand |
| test.c:54:13:54:16 | call to rand | semmle.label | call to rand |
| test.c:56:5:56:5 | r | semmle.label | r |
| test.c:56:5:56:5 | r | semmle.label | r |
| test.c:56:5:56:5 | r | semmle.label | r |
| test.c:60:13:60:16 | call to rand | semmle.label | call to rand |
| test.c:60:13:60:16 | call to rand | semmle.label | call to rand |
| test.c:61:5:61:5 | r | semmle.label | r |
| test.c:61:5:61:5 | r | semmle.label | r |
| test.c:61:5:61:5 | r | semmle.label | r |
| test.c:62:5:62:5 | r | semmle.label | r |
| test.c:62:5:62:5 | r | semmle.label | r |
| test.c:62:5:62:5 | r | semmle.label | r |
| test.c:66:13:66:16 | call to rand | semmle.label | call to rand |
| test.c:66:13:66:16 | call to rand | semmle.label | call to rand |
| test.c:67:5:67:5 | r | semmle.label | r |
| test.c:67:5:67:5 | r | semmle.label | r |
| test.c:67:5:67:5 | r | semmle.label | r |
| test.c:75:13:75:19 | ... ^ ... | semmle.label | ... ^ ... |
| test.c:75:13:75:19 | ... ^ ... | semmle.label | ... ^ ... |
| test.c:77:9:77:9 | r | semmle.label | r |
@@ -133,10 +90,7 @@ nodes
#select
| test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
| test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
| test.c:40:5:40:5 | r | test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:39:13:39:21 | ... % ... | Uncontrolled value |
| test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
| test.c:56:5:56:5 | r | test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:54:13:54:16 | call to rand | Uncontrolled value |
| test.c:67:5:67:5 | r | test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:66:13:66:16 | call to rand | Uncontrolled value |
| test.c:77:9:77:9 | r | test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | ... ^ ... | Uncontrolled value |
| test.c:100:5:100:5 | r | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |

6
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c
View File

@@ -37,7 +37,7 @@ void randomTester() {
{
int r = RANDN(100);
r += 100; // GOOD: The return from RANDN is bounded [FALSE POSITIVE]
r += 100; // GOOD: The return from RANDN is bounded
}
{
@@ -53,7 +53,7 @@ void randomTester() {
{
int r = rand();
r = r / 10;
r += 100; // GOOD [FALSE POSITIVE]
r += 100; // GOOD
}
{
@@ -64,7 +64,7 @@ void randomTester() {
{
int r = rand() & 0xFF;
r += 100; // GOOD [FALSE POSITIVE]
r += 100; // GOOD
}
{