hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 08:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7267 from github/redsun82/cpp-overrunning-write-precision-split

Browse Source 
C++: add some more range analysis tests
This commit is contained in:
Paolo Tranquilli
2021-11-30 12:54:48 +01:00
committed by GitHub
parent c91b6f7ce9 3f218c903b
commit b40c77d419
2 changed files with 50 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.expected
View File

@@ -3,13 +3,17 @@
| tests.cpp:272:2:272:8 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
| tests.cpp:273:2:273:8 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
| tests.cpp:308:3:308:9 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
| tests.cpp:315:2:315:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
| tests.cpp:316:2:316:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
| tests.cpp:321:2:321:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
| tests.cpp:324:3:324:9 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
| tests.cpp:327:2:327:8 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
| tests.cpp:329:3:329:9 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
| tests.cpp:315:2:315:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 4 bytes. |
| tests.cpp:316:2:316:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 4 bytes. |
| tests.cpp:321:2:321:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 4 bytes. |
| tests.cpp:324:3:324:9 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 4 bytes. |
| tests.cpp:327:2:327:8 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 4 bytes. |
| tests.cpp:329:3:329:9 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 4 bytes. |
| tests.cpp:341:2:341:8 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |
| tests.cpp:343:2:343:8 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |
| tests.cpp:345:2:345:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
| tests.cpp:347:2:347:8 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |
| tests.cpp:350:2:350:8 | call to sprintf | This 'call to sprintf' operation requires 4 bytes but the destination is only 3 bytes. |
| tests.cpp:354:2:354:8 | call to sprintf | This 'call to sprintf' operation requires 4 bytes but the destination is only 3 bytes. |
| tests.cpp:358:2:358:8 | call to sprintf | This 'call to sprintf' operation requires 4 bytes but the destination is only 3 bytes. |
| tests.cpp:363:2:363:8 | call to sprintf | This 'call to sprintf' operation requires 5 bytes but the destination is only 4 bytes. |

63
cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp
View File

@@ -310,39 +310,56 @@ namespace custom_sprintf_impl {
}
void test6(unsigned unsigned_value, int value) {
char buffer[2];
char buffer2[2], buffer3[3], buffer4[4], buffer5[5];
sprintf(buffer, "%u", unsigned_value); // BAD: buffer overflow
sprintf(buffer, "%d", unsigned_value); // BAD: buffer overflow
if (unsigned_value < 10) {
sprintf(buffer, "%u", unsigned_value); // GOOD
sprintf(buffer4, "%u", unsigned_value); // BAD: buffer overflow
sprintf(buffer4, "%d", unsigned_value); // BAD: buffer overflow
if (unsigned_value < 1000) {
sprintf(buffer4, "%u", unsigned_value); // GOOD
}
sprintf(buffer, "%u", -10); // BAD: buffer overflow
sprintf(buffer4, "%u", -100); // BAD: buffer overflow
if(unsigned_value == (unsigned)-10) {
sprintf(buffer, "%u", unsigned_value); // BAD: buffer overflow
if(unsigned_value == (unsigned)-100) {
sprintf(buffer4, "%u", unsigned_value); // BAD: buffer overflow
}
sprintf(buffer, "%d", value); // BAD: buffer overflow
if (value < 10) {
sprintf(buffer, "%d", value); // BAD: buffer overflow
sprintf(buffer4, "%d", value); // BAD: buffer overflow
if (value < 1000) {
sprintf(buffer4, "%d", value); // BAD: buffer overflow
if(value > 0) {
sprintf(buffer, "%d", value); // GOOD
if(value > -100) {
sprintf(buffer4, "%d", value); // GOOD
}
}
sprintf(buffer, "%u", 0); // GOOD
sprintf(buffer, "%d", 0); // GOOD
sprintf(buffer, "%u", 5); // GOOD
sprintf(buffer, "%d", 5); // GOOD
sprintf(buffer2, "%u", 0); // GOOD
sprintf(buffer2, "%d", 0); // GOOD
sprintf(buffer2, "%u", 5); // GOOD
sprintf(buffer2, "%d", 5); // GOOD
sprintf(buffer, "%d", -1); // BAD
sprintf(buffer, "%d", 9); // GOOD
sprintf(buffer, "%d", 10); // BAD
sprintf(buffer2, "%d", -1); // BAD
sprintf(buffer2, "%d", 9); // GOOD
sprintf(buffer2, "%d", 10); // BAD
sprintf(buffer, "%u", -1); // BAD
sprintf(buffer, "%u", 9); // GOOD
sprintf(buffer, "%u", 10); // BAD
sprintf(buffer2, "%u", -1); // BAD
sprintf(buffer2, "%u", 9); // GOOD
sprintf(buffer2, "%u", 10); // BAD
unsigned char unsigned_char = unsigned_value;
sprintf(buffer3, "%u", (unsigned)unsigned_char); // BAD
sprintf(buffer4, "%u", (unsigned)unsigned_char); // GOOD: 0..255 fits
unsigned small = unsigned_value >> (sizeof(unsigned_value) * 8 - 9); // in range 0..511
sprintf(buffer3, "%u", small); // BAD
sprintf(buffer4, "%u", small); // GOOD
small = unsigned_value & ((1u << 9) - 1); // in range 0..511
sprintf(buffer3, "%u", small); // BAD
sprintf(buffer4, "%u", small); // GOOD: 0..511 fits
char c = value;
sprintf(buffer4, "%d", (int)c); // BAD: e.g. -127 does not fit
sprintf(buffer5, "%d", (int)c); // GOOD: -127..128 fits
}