From ace7b6b7116bf5dea1cfcd3bc6cef3ca65feb83b Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Wed, 31 May 2023 11:49:00 +0200
Subject: [PATCH] C++: Add `cpp/invalid-pointer-deref` FP test case

---
 .../pointer-deref/InvalidPointerDeref.expected  | 17 +++++++++++++++++
 .../Security/CWE/CWE-193/pointer-deref/test.cpp | 14 ++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
index 6b4d039ee6b..09c75e7369c 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
@@ -723,6 +723,15 @@ edges
 | test.cpp:359:16:359:27 | end_plus_one | test.cpp:358:14:358:26 | Load: * ... |
 | test.cpp:359:16:359:27 | end_plus_one | test.cpp:359:14:359:32 | Load: * ... |
 | test.cpp:359:16:359:31 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:363:14:363:27 | new[] | test.cpp:365:15:365:15 | p |
+| test.cpp:365:15:365:15 | p | test.cpp:368:5:368:10 | ... += ... |
+| test.cpp:365:15:365:15 | p | test.cpp:368:5:368:10 | ... += ... |
+| test.cpp:368:5:368:10 | ... += ... | test.cpp:371:7:371:7 | p |
+| test.cpp:368:5:368:10 | ... += ... | test.cpp:371:7:371:7 | p |
+| test.cpp:368:5:368:10 | ... += ... | test.cpp:372:16:372:16 | p |
+| test.cpp:368:5:368:10 | ... += ... | test.cpp:372:16:372:16 | p |
+| test.cpp:371:7:371:7 | p | test.cpp:372:15:372:16 | Load: * ... |
+| test.cpp:372:16:372:16 | p | test.cpp:372:15:372:16 | Load: * ... |
 nodes
 | test.cpp:4:15:4:20 | call to malloc | semmle.label | call to malloc |
 | test.cpp:5:15:5:15 | p | semmle.label | p |
@@ -1050,6 +1059,13 @@ nodes
 | test.cpp:359:14:359:32 | Load: * ... | semmle.label | Load: * ... |
 | test.cpp:359:16:359:27 | end_plus_one | semmle.label | end_plus_one |
 | test.cpp:359:16:359:31 | ... + ... | semmle.label | ... + ... |
+| test.cpp:363:14:363:27 | new[] | semmle.label | new[] |
+| test.cpp:365:15:365:15 | p | semmle.label | p |
+| test.cpp:368:5:368:10 | ... += ... | semmle.label | ... += ... |
+| test.cpp:368:5:368:10 | ... += ... | semmle.label | ... += ... |
+| test.cpp:371:7:371:7 | p | semmle.label | p |
+| test.cpp:372:15:372:16 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:372:16:372:16 | p | semmle.label | p |
 subpaths
 #select
 | test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
@@ -1077,3 +1093,4 @@ subpaths
 | test.cpp:350:15:350:19 | Load: * ... | test.cpp:347:14:347:27 | new[] | test.cpp:350:15:350:19 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:347:14:347:27 | new[] | new[] | test.cpp:348:20:348:23 | size | size |
 | test.cpp:358:14:358:26 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:358:14:358:26 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
 | test.cpp:359:14:359:32 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:359:14:359:32 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 2. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
+| test.cpp:372:15:372:16 | Load: * ... | test.cpp:363:14:363:27 | new[] | test.cpp:372:15:372:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:363:14:363:27 | new[] | new[] | test.cpp:365:19:365:22 | size | size |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
index 3dfd8b89097..3711f272e76 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
@@ -358,3 +358,17 @@ void test25(unsigned size) {
   int val1 = *end_plus_one; // BAD
   int val2 = *(end_plus_one + 1); // BAD
 }
+
+void test26(unsigned size) {
+  char *xs = new char[size];
+  char *p = xs;
+  char *end = p + size;
+
+  if (p + 4 <= end) {
+    p += 4;
+  }
+
+  if (p < end) {
+    int val = *p; // GOOD [FALSE POSITIVE]
+  }
+}