hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 01:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

[CPP-340] For MistypedFunctionArguments.ql, add support for pointers to pointers and pointers to arrays.

Browse Source
This commit is contained in:
Ziemowit Laski
2019-04-24 14:54:01 -07:00
parent 36b2c14f88
commit ac58bdfc58
6 changed files with 58 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
cpp/ql/src/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.ql
View File

@@ -28,7 +28,7 @@ predicate arithTypesMatch(Type arg, Type parm) {
}
pragma[inline]
predicate pointerArgTypeMayBeUsed(Type arg, Type parm) {
predicate nestedPointerArgTypeMayBeUsed(Type arg, Type parm) {
// arithmetic types
arithTypesMatch(arg, parm)
or
@@ -38,6 +38,18 @@ predicate pointerArgTypeMayBeUsed(Type arg, Type parm) {
parm instanceof VoidType
}
pragma[inline]
predicate pointerArgTypeMayBeUsed(Type arg, Type parm) {
nestedPointerArgTypeMayBeUsed(arg, parm)
or
// nested pointers
nestedPointerArgTypeMayBeUsed(arg.(PointerType).getBaseType().getUnspecifiedType(),
parm.(PointerType).getBaseType().getUnspecifiedType())
or
nestedPointerArgTypeMayBeUsed(arg.(ArrayType).getBaseType().getUnspecifiedType(),
parm.(PointerType).getBaseType().getUnspecifiedType())
}
pragma[inline]
predicate argTypeMayBeUsed(Type arg, Type parm) {
// arithmetic types
@@ -58,10 +70,8 @@ predicate argTypeMayBeUsed(Type arg, Type parm) {
parm.(ArrayType).getBaseType().getUnspecifiedType())
}
// This predicate doesn't necessarily have to exist, but if it does exist
// then it must be inline to make sure we don't enumerate all pairs of
// compatible types.
// Its body could also just be hand-inlined where it's used.
// This predicate holds whenever expression `arg` may be used to initialize
// function parameter `parm` without need for run-time conversion.
pragma[inline]
predicate argMayBeUsed(Expr arg, Parameter parm) {
argTypeMayBeUsed(arg.getFullyConverted().getType().getUnspecifiedType(),

7
cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
View File

@@ -1,9 +1,10 @@
/**
* @name Call to function with fewer arguments than declared parameters
* @description A function call passed fewer arguments than the number of
* @description A function call is passing fewer arguments than the number of
* declared parameters of the function. This may indicate
* that the code does not follow the author's intent. It is also a vulnerability,
* since the function is like to operate on undefined data.
* that the code does not follow the author's intent. It is also
* a vulnerability, since the function is likely to operate on
* undefined data.
* @kind problem
* @problem.severity error
* @precision very-high