hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Add getSizeExpr and getSizeMult predicates to BufferAccess

Browse Source
This commit is contained in:
Gulshan Singh
2023-03-21 23:38:44 -07:00
parent 117a983423
commit abec99badb
1 changed files with 60 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

102
cpp/ql/lib/semmle/code/cpp/security/BufferAccess.qll
View File

@@ -29,7 +29,23 @@ abstract class BufferAccess extends Expr {
*/
abstract Expr getBuffer(string bufferDesc, int accessType);
abstract int getSize();
/**
* Gets the expression that represents the size of the buffer access. The
* actual size is typically the value of this expression multiplied by the
* result of `getSizeMult()`, in bytes.
*/
Expr getSizeExpr() { none() }
/**
* Gets a constant multiplier for the buffer access size given by
* `getSizeExpr`, in bytes.
*/
int getSizeMult() { none() }
/**
* Gets the buffer access size in bytes.
*/
int getSize() { result = this.getSizeExpr().getValue().toInt() * this.getSizeMult() }
}
/**
@@ -63,10 +79,10 @@ class MemcpyBA extends BufferAccess {
accessType = 1
}
override int getSize() {
result =
this.(FunctionCall).getArgument(2).getValue().toInt() *
getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(2) }
override int getSizeMult() {
result = getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
}
}
@@ -89,10 +105,10 @@ class BCopyBA extends BufferAccess {
accessType = 1
}
override int getSize() {
result =
this.(FunctionCall).getArgument(2).getValue().toInt() *
getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(2) }
override int getSizeMult() {
result = getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
}
}
@@ -115,10 +131,10 @@ class StrncpyBA extends BufferAccess {
accessType = 2
}
override int getSize() {
result =
this.(FunctionCall).getArgument(2).getValue().toInt() *
getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(2) }
override int getSizeMult() {
result = getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
}
}
@@ -141,10 +157,10 @@ class MemccpyBA extends BufferAccess {
accessType = 2
}
override int getSize() {
result =
this.(FunctionCall).getArgument(3).getValue().toInt() *
getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(3) }
override int getSizeMult() {
result = getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
}
}
@@ -172,10 +188,10 @@ class MemcmpBA extends BufferAccess {
accessType = 2
}
override int getSize() {
result =
this.(FunctionCall).getArgument(2).getValue().toInt() *
getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(2) }
override int getSizeMult() {
result = getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
}
}
@@ -199,10 +215,10 @@ class SwabBA extends BufferAccess {
accessType = 1
}
override int getSize() {
result =
this.(FunctionCall).getArgument(2).getValue().toInt() *
getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(2) }
override int getSizeMult() {
result = getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
}
}
@@ -222,10 +238,10 @@ class MemsetBA extends BufferAccess {
accessType = 1
}
override int getSize() {
result =
this.(FunctionCall).getArgument(2).getValue().toInt() *
getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(2) }
override int getSizeMult() {
result = getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
}
}
@@ -244,7 +260,9 @@ class ZeroMemoryBA extends BufferAccess {
accessType = 1
}
override int getSize() { result = this.(FunctionCall).getArgument(1).getValue().toInt() }
override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(1) }
override int getSizeMult() { result = 1 }
}
/**
@@ -263,10 +281,10 @@ class MemchrBA extends BufferAccess {
accessType = 2
}
override int getSize() {
result =
this.(FunctionCall).getArgument(2).getValue().toInt() *
getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(2) }
override int getSizeMult() {
result = getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
}
}
@@ -285,11 +303,9 @@ class FreadBA extends BufferAccess {
accessType = 2
}
override int getSize() {
result =
this.(FunctionCall).getArgument(1).getValue().toInt() *
this.(FunctionCall).getArgument(2).getValue().toInt()
}
override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(1) }
override int getSizeMult() { result = this.(FunctionCall).getArgument(2).getValue().toInt() }
}
/**
@@ -318,11 +334,13 @@ class ArrayExprBA extends BufferAccess {
accessType = 3
}
override Expr getSizeExpr() { result = this.(ArrayExpr).getArrayOffset() }
override int getSize() {
// byte size of the buffer that would be required to support this
// access
result =
(1 + this.(ArrayExpr).getArrayOffset().getValue().toInt()) *
this.(ArrayExpr).getType().getSize()
result = (1 + this.getSizeExpr().getValue().toInt()) * this.getSizeMult()
}
override int getSizeMult() { result = this.(ArrayExpr).getType().getSize() }
}