Merge branch 'master' into ir-flow-fields

2026-05-01 03:35:13 +02:00 · 2020-04-17 13:57:12 +02:00
parent 8c03423f3e e974006122
commit ba0429cf01
44 changed files with 1776 additions and 11668 deletions
--- a/cpp/ql/src/Critical/Negativity.qll
+++ b/cpp/ql/src/Critical/Negativity.qll
@@ -1,10 +1,19 @@
 import cpp

+/**
+ * Holds if `val` is an access to the variable `v`, or if `val`
+ * is an assignment with an access to `v` on the left-hand side.
+ */
 predicate valueOfVar(Variable v, Expr val) {
  val = v.getAnAccess() or
  val.(AssignExpr).getLValue() = v.getAnAccess()
 }

+/**
+ * Holds if either:
+ * - `cond` is an (in)equality expression that compares the variable `v` to the value `-1`, or
+ * - `cond` is a relational expression that compares the variable `v` to a constant.
+ */
 predicate boundsCheckExpr(Variable v, Expr cond) {
  exists(EQExpr eq |
    cond = eq and
@@ -43,6 +52,18 @@ predicate boundsCheckExpr(Variable v, Expr cond) {
  )
 }

+/**
+ * Holds if `node` is an expression in a conditional statement and `succ` is an
+ * immediate successor of `node` that may be reached after evaluating `node`.
+ * For example, given
+ * ```
+ * if (a < 10 && b) func1();
+ * else func2();
+ * ```
+ * this predicate holds when either:
+ * - `node` is `a < 10` and `succ` is `func2()` or `b`, or
+ * - `node` is `b` and `succ` is `func1()` or `func2()`
+ */
 predicate conditionalSuccessor(ControlFlowNode node, ControlFlowNode succ) {
  if node.isCondition()
  then succ = node.getATrueSuccessor() or succ = node.getAFalseSuccessor()
@@ -52,6 +73,12 @@ predicate conditionalSuccessor(ControlFlowNode node, ControlFlowNode succ) {
    )
 }

+/**
+ * Holds if the current value of the variable `v` at control-flow
+ * node `n` has been used either in:
+ * - an (in)equality comparison with the value `-1`, or
+ * - a relational comparison that compares `v` to a constant.
+ */
 predicate boundsChecked(Variable v, ControlFlowNode node) {
  exists(Expr test |
    boundsCheckExpr(v, test) and
@@ -63,6 +90,14 @@ predicate boundsChecked(Variable v, ControlFlowNode node) {
  )
 }

+/**
+ * Holds if `cond` compares `v` to some common error values. Specifically, this
+ * predicate holds when:
+ * - `cond` checks that `v` is equal to `-1`, or
+ * - `cond` checks that `v` is less than `0`, or
+ * - `cond` checks that `v` is less than or equal to `-1`, or
+ * - `cond` checks that `v` is not some common success value (see `successCondition`).
+ */
 predicate errorCondition(Variable v, Expr cond) {
  exists(EQExpr eq |
    cond = eq and
@@ -88,6 +123,14 @@ predicate errorCondition(Variable v, Expr cond) {
  )
 }

+/**
+ * Holds if `cond` compares `v` to some common success values. Specifically, this
+ * predicate holds when:
+ * - `cond` checks that `v` is not equal to `-1`, or
+ * - `cond` checks that `v` is greater than or equal than `0`, or
+ * - `cond` checks that `v` is greater than `-1`, or
+ * - `cond` checks that `v` is not some common error value (see `errorCondition`).
+ */
 predicate successCondition(Variable v, Expr cond) {
  exists(NEExpr ne |
    cond = ne and
@@ -113,6 +156,11 @@ predicate successCondition(Variable v, Expr cond) {
  )
 }

+/**
+ * Holds if there exists a comparison operation that checks whether `v`
+ * represents some common *error* values, and `n` may be reached
+ * immediately following the comparison operation.
+ */
 predicate errorSuccessor(Variable v, ControlFlowNode n) {
  exists(Expr cond |
    errorCondition(v, cond) and n = cond.getATrueSuccessor()
@@ -121,6 +169,11 @@ predicate errorSuccessor(Variable v, ControlFlowNode n) {
  )
 }

+/**
+ * Holds if there exists a comparison operation that checks whether `v`
+ * represents some common *success* values, and `n` may be reached
+ * immediately following the comparison operation.
+ */
 predicate successSuccessor(Variable v, ControlFlowNode n) {
  exists(Expr cond |
    successCondition(v, cond) and n = cond.getATrueSuccessor()
@@ -129,6 +182,10 @@ predicate successSuccessor(Variable v, ControlFlowNode n) {
  )
 }

+/**
+ * Holds if the current value of the variable `v` at control-flow node
+ * `n` may have been checked against a common set of *error* values.
+ */
 predicate checkedError(Variable v, ControlFlowNode n) {
  errorSuccessor(v, n)
  or
@@ -139,6 +196,10 @@ predicate checkedError(Variable v, ControlFlowNode n) {
  )
 }

+/**
+ * Holds if the current value of the variable `v` at control-flow node
+ * `n` may have been checked against a common set of *success* values.
+ */
 predicate checkedSuccess(Variable v, ControlFlowNode n) {
  successSuccessor(v, n)
  or
--- a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
@@ -15,31 +15,31 @@ import cpp
 import semmle.code.cpp.security.TaintTracking
 import TaintedWithPath

-predicate taintedChild(Expr e, Expr tainted) {
-  (
-    isAllocationExpr(e)
-    or
-    any(MulExpr me | me.getAChild() instanceof SizeofOperator) = e
-  ) and
-  tainted = e.getAChild() and
+/**
+ * Holds if `alloc` is an allocation, and `tainted` is a child of it that is a
+ * taint sink.
+ */
+predicate allocSink(Expr alloc, Expr tainted) {
+  isAllocationExpr(alloc) and
+  tainted = alloc.getAChild() and
  tainted.getUnspecifiedType() instanceof IntegralType
 }

 class TaintedAllocationSizeConfiguration extends TaintTrackingConfiguration {
-  override predicate isSink(Element tainted) { taintedChild(_, tainted) }
+  override predicate isSink(Element tainted) { allocSink(_, tainted) }
 }

 predicate taintedAllocSize(
-  Expr e, Expr source, PathNode sourceNode, PathNode sinkNode, string taintCause
+  Expr source, Expr alloc, PathNode sourceNode, PathNode sinkNode, string taintCause
 ) {
  isUserInput(source, taintCause) and
  exists(Expr tainted |
-    taintedChild(e, tainted) and
+    allocSink(alloc, tainted) and
    taintedWithPath(source, tainted, sourceNode, sinkNode)
  )
 }

-from Expr e, Expr source, PathNode sourceNode, PathNode sinkNode, string taintCause
-where taintedAllocSize(e, source, sourceNode, sinkNode, taintCause)
-select e, sourceNode, sinkNode, "This allocation size is derived from $@ and might overflow",
+from Expr source, Expr alloc, PathNode sourceNode, PathNode sinkNode, string taintCause
+where taintedAllocSize(source, alloc, sourceNode, sinkNode, taintCause)
+select alloc, sourceNode, sinkNode, "This allocation size is derived from $@ and might overflow",
  source, "user input (" + taintCause + ")"
--- a/cpp/ql/src/semmle/code/cpp/Class.qll
+++ b/cpp/ql/src/semmle/code/cpp/Class.qll
@@ -458,6 +458,15 @@ class Class extends UserType {
    exists(ClassDerivation d | d.getDerivedClass() = this and d = result)
  }

+  /**
+   * Gets class derivation number `index` of this class/struct, for example the
+   * `public B` is derivation 1 in the following code:
+   * ```
+   * class D : public A, public B, public C {
+   *   ...
+   * };
+   * ```
+   */
  ClassDerivation getDerivation(int index) {
    exists(ClassDerivation d | d.getDerivedClass() = this and d.getIndex() = index and d = result)
  }
@@ -900,6 +909,22 @@ class AbstractClass extends Class {
 class TemplateClass extends Class {
  TemplateClass() { usertypes(underlyingElement(this), _, 6) }

+  /**
+   * Gets a class instantiated from this template.
+   *
+   * For example for `MyTemplateClass<T>` in the following code, the results are
+   * `MyTemplateClass<int>` and `MyTemplateClass<long>`:
+   * ```
+   * template<class T>
+   * class MyTemplateClass {
+   *   ...
+   * };
+   *
+   * MyTemplateClass<int> instance;
+   *
+   * MyTemplateClass<long> instance;
+   * ```
+   */
  Class getAnInstantiation() {
    result.isConstructedFrom(this) and
    exists(result.getATemplateArgument())
--- a/cpp/ql/src/semmle/code/cpp/Comments.qll
+++ b/cpp/ql/src/semmle/code/cpp/Comments.qll
@@ -13,8 +13,20 @@ class Comment extends Locatable, @comment {

  override Location getLocation() { comments(underlyingElement(this), _, result) }

+  /**
+   * Gets the text of this comment, including the opening `//` or `/*`, and the closing `*``/` if
+   * present.
+   */
  string getContents() { comments(underlyingElement(this), result, _) }

+  /**
+   * Gets the AST element this comment is associated with. For example, the comment in the
+   * following code is associated with the declaration of `j`.
+   * ```
+   * int i;
+   * int j; // Comment on j
+   * ```
+   */
  Element getCommentedElement() {
    commentbinding(underlyingElement(this), unresolveElement(result))
  }
--- a/cpp/ql/src/semmle/code/cpp/Compilation.qll
+++ b/cpp/ql/src/semmle/code/cpp/Compilation.qll
@@ -40,6 +40,7 @@ class Compilation extends @compilation {
  /** Gets a file compiled during this invocation. */
  File getAFileCompiled() { result = getFileCompiled(_) }

+  /** Gets the `i`th file compiled during this invocation */
  File getFileCompiled(int i) { compilation_compiling_files(this, i, unresolveElement(result)) }

  /**
--- a/cpp/ql/src/semmle/code/cpp/Diagnostics.qll
+++ b/cpp/ql/src/semmle/code/cpp/Diagnostics.qll
@@ -11,6 +11,7 @@ class Diagnostic extends Locatable, @diagnostic {
  /** Gets the error code for this compiler message. */
  string getTag() { diagnostics(underlyingElement(this), _, result, _, _, _) }

+  /** Holds if `s` is the error code for this compiler message. */
  predicate hasTag(string s) { this.getTag() = s }

  /**
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@@ -5,12 +5,6 @@ edges
 | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
 | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
 | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
-| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | (unsigned long)... |
-| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | (unsigned long)... |
-| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | tainted |
-| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | tainted |
-| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | tainted |
-| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | tainted |
 | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
 | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
 | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
@@ -33,42 +27,38 @@ edges
 | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
 | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
 | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
-| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | (unsigned long)... |
-| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | (unsigned long)... |
-| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | tainted |
-| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | tainted |
-| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | tainted |
-| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | tainted |
-| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:27 | (unsigned long)... |
-| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:27 | size |
-| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:27 | size |
 | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
 | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
-| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:27 | (unsigned long)... |
-| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:27 | size |
-| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:27 | size |
 | test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... |
 | test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... |
-| test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:13 | (unsigned long)... |
-| test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:13 | size |
-| test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:13 | size |
 | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... |
 | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... |
-| test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:13 | (unsigned long)... |
-| test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:13 | size |
-| test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:13 | size |
 | test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:27 | ... * ... |
 | test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:27 | ... * ... |
-| test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:14 | (unsigned long)... |
-| test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:14 | size |
-| test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:14 | size |
 | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... |
 | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... |
-| test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:14 | (unsigned long)... |
-| test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:14 | size |
-| test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:14 | size |
 | test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:28 | ... * ... |
 | test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:28 | ... * ... |
+| test.cpp:201:9:201:42 | Store | test.cpp:231:9:231:24 | call to get_tainted_size |
+| test.cpp:201:9:201:42 | Store | test.cpp:231:9:231:24 | call to get_tainted_size |
+| test.cpp:201:14:201:19 | call to getenv | test.cpp:201:9:201:42 | Store |
+| test.cpp:201:14:201:27 | (const char *)... | test.cpp:201:9:201:42 | Store |
+| test.cpp:214:23:214:23 | s | test.cpp:215:21:215:21 | s |
+| test.cpp:214:23:214:23 | s | test.cpp:215:21:215:21 | s |
+| test.cpp:220:21:220:21 | s | test.cpp:221:21:221:21 | s |
+| test.cpp:220:21:220:21 | s | test.cpp:221:21:221:21 | s |
+| test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | (size_t)... |
+| test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size |
+| test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size |
+| test.cpp:227:24:227:29 | call to getenv | test.cpp:235:11:235:20 | (size_t)... |
+| test.cpp:227:24:227:29 | call to getenv | test.cpp:237:10:237:19 | (size_t)... |
+| test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | (size_t)... |
+| test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | local_size |
+| test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | local_size |
+| test.cpp:227:24:227:37 | (const char *)... | test.cpp:235:11:235:20 | (size_t)... |
+| test.cpp:227:24:227:37 | (const char *)... | test.cpp:237:10:237:19 | (size_t)... |
+| test.cpp:235:11:235:20 | (size_t)... | test.cpp:214:23:214:23 | s |
+| test.cpp:237:10:237:19 | (size_t)... | test.cpp:220:21:220:21 | s |
 nodes
 | test.cpp:39:21:39:24 | argv | semmle.label | argv |
 | test.cpp:39:21:39:24 | argv | semmle.label | argv |
@@ -77,11 +67,6 @@ nodes
 | test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
 | test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
 | test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
-| test.cpp:43:38:43:44 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:43:38:43:44 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
-| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
-| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
 | test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
 | test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
 | test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
@@ -99,53 +84,55 @@ nodes
 | test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
 | test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
 | test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
-| test.cpp:52:54:52:60 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:52:54:52:60 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:52:54:52:60 | tainted | semmle.label | tainted |
-| test.cpp:52:54:52:60 | tainted | semmle.label | tainted |
-| test.cpp:52:54:52:60 | tainted | semmle.label | tainted |
 | test.cpp:123:18:123:23 | call to getenv | semmle.label | call to getenv |
 | test.cpp:123:18:123:31 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:127:24:127:27 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:127:24:127:27 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:127:24:127:27 | size | semmle.label | size |
-| test.cpp:127:24:127:27 | size | semmle.label | size |
-| test.cpp:127:24:127:27 | size | semmle.label | size |
 | test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
 | test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
 | test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
 | test.cpp:132:19:132:24 | call to getenv | semmle.label | call to getenv |
 | test.cpp:132:19:132:32 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:134:10:134:13 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:134:10:134:13 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:134:10:134:13 | size | semmle.label | size |
-| test.cpp:134:10:134:13 | size | semmle.label | size |
-| test.cpp:134:10:134:13 | size | semmle.label | size |
 | test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:138:19:138:24 | call to getenv | semmle.label | call to getenv |
 | test.cpp:138:19:138:32 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:142:11:142:14 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:142:11:142:14 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:142:11:142:14 | size | semmle.label | size |
-| test.cpp:142:11:142:14 | size | semmle.label | size |
-| test.cpp:142:11:142:14 | size | semmle.label | size |
 | test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:201:9:201:42 | Store | semmle.label | Store |
+| test.cpp:201:14:201:19 | call to getenv | semmle.label | call to getenv |
+| test.cpp:201:14:201:27 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:214:23:214:23 | s | semmle.label | s |
+| test.cpp:215:21:215:21 | s | semmle.label | s |
+| test.cpp:215:21:215:21 | s | semmle.label | s |
+| test.cpp:215:21:215:21 | s | semmle.label | s |
+| test.cpp:220:21:220:21 | s | semmle.label | s |
+| test.cpp:221:21:221:21 | s | semmle.label | s |
+| test.cpp:221:21:221:21 | s | semmle.label | s |
+| test.cpp:221:21:221:21 | s | semmle.label | s |
+| test.cpp:227:24:227:29 | call to getenv | semmle.label | call to getenv |
+| test.cpp:227:24:227:37 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:229:9:229:18 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:229:9:229:18 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:229:9:229:18 | local_size | semmle.label | local_size |
+| test.cpp:229:9:229:18 | local_size | semmle.label | local_size |
+| test.cpp:229:9:229:18 | local_size | semmle.label | local_size |
+| test.cpp:231:9:231:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
+| test.cpp:231:9:231:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
+| test.cpp:231:9:231:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
+| test.cpp:235:11:235:20 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:237:10:237:19 | (size_t)... | semmle.label | (size_t)... |
 #select
 | test.cpp:42:31:42:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:43:31:43:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:43:38:43:63 | ... * ... | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:45:31:45:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:48:25:48:30 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:49:17:49:30 | new[] | test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:52:21:52:27 | call to realloc | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:52:35:52:60 | ... * ... | test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:127:17:127:22 | call to malloc | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:123:18:123:23 | call to getenv | user input (getenv) |
-| test.cpp:127:24:127:41 | ... * ... | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:27 | size | This allocation size is derived from $@ and might overflow | test.cpp:123:18:123:23 | call to getenv | user input (getenv) |
 | test.cpp:134:3:134:8 | call to malloc | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) |
-| test.cpp:134:10:134:27 | ... * ... | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:13 | size | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) |
 | test.cpp:142:4:142:9 | call to malloc | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:138:19:138:24 | call to getenv | user input (getenv) |
-| test.cpp:142:11:142:28 | ... * ... | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:14 | size | This allocation size is derived from $@ and might overflow | test.cpp:138:19:138:24 | call to getenv | user input (getenv) |
+| test.cpp:215:14:215:19 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:215:21:215:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
+| test.cpp:221:14:221:19 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:221:21:221:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
+| test.cpp:229:2:229:7 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
+| test.cpp:231:2:231:7 | call to malloc | test.cpp:201:14:201:19 | call to getenv | test.cpp:231:9:231:24 | call to get_tainted_size | This allocation size is derived from $@ and might overflow | test.cpp:201:14:201:19 | call to getenv | user input (getenv) |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
@@ -5,8 +5,8 @@ typedef struct {} FILE;

 void *malloc(size_t size);
 void *realloc(void *ptr, size_t size);
+void free(void *ptr);
 int atoi(const char *nptr);
-
 struct MyStruct
 {
 	char data[256];
@@ -190,3 +190,49 @@ void more_bounded_tests() {
 		}
 	}
 }
+
+size_t get_untainted_size()
+{
+	return 10 * sizeof(int);
+}
+
+size_t get_tainted_size()
+{
+	return atoi(getenv("USER")) * sizeof(int);
+}
+
+size_t get_bounded_size()
+{
+	size_t s = atoi(getenv("USER")) * sizeof(int);
+
+	if (s < 0) { s = 0; }
+	if (s > 100) { s = 100; }
+
+	return s;
+}
+
+void *my_alloc(size_t s) {
+	void *ptr = malloc(s); // [UNHELPFUL RESULT]
+
+	return ptr;
+}
+
+void my_func(size_t s) {
+	void *ptr = malloc(s); // BAD
+
+	free(ptr);
+}
+
+void more_cases() {
+	int local_size = atoi(getenv("USER")) * sizeof(int);
+
+	malloc(local_size); // BAD
+	malloc(get_untainted_size()); // GOOD
+	malloc(get_tainted_size()); // BAD
+	malloc(get_bounded_size()); // GOOD
+
+	my_alloc(100); // GOOD
+	my_alloc(local_size); // BAD [NOT DETECTED IN CORRECT LOCATION]
+	my_func(100); // GOOD
+	my_func(local_size); // GOOD
+}