CPP: Move the fix into Buffer.qll so that it applies to other queries.

2026-05-03 04:39:29 +02:00 · 2018-10-08 11:06:13 +01:00
parent f99f44a571
commit ad44416189
2 changed files with 3 additions and 2 deletions
--- a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
@@ -21,5 +21,4 @@ from BufferWrite bw, int destSize
 where bw.hasExplicitLimit()                     // has an explicit size limit
  and destSize = getBufferSize(bw.getDest(), _)
  and (bw.getExplicitLimit() > destSize)        // but it's larger than the destination
-  and not destSize = 0                          // probably just a hack if the destination size is 0
 select bw, "This '" + bw.getBWDesc() + "' operation is limited to " + bw.getExplicitLimit() + " bytes but the destination is only " + destSize + " bytes."
--- a/cpp/ql/src/semmle/code/cpp/commons/Buffer.qll
+++ b/cpp/ql/src/semmle/code/cpp/commons/Buffer.qll
@@ -57,7 +57,9 @@ int getBufferSize(Expr bufferExpr, Element why) {
      // buffer is a fixed size array
      result = bufferVar.getType().getUnspecifiedType().(ArrayType).getSize() and
      why = bufferVar and
-      not memberMayBeVarSize(_, bufferVar)
+      not memberMayBeVarSize(_, bufferVar) and
+      not result = 0 // zero sized arrays are likely to have special usage, for example
+                     // behaving a bit like a 'union' overlapping other fields. 
    ) or (
      // buffer is an initialized array
      //  e.g. int buffer[] = {1, 2, 3};