C++: Fix false positive by restricting _both_ the old (unconverted) expression _and_ all of the conversions.

2026-04-30 03:05:15 +02:00 · 2021-05-10 15:18:42 +02:00
parent c7cd75437f
commit c0b65314be
2 changed files with 3 additions and 1 deletions
--- a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
@@ -49,6 +49,9 @@ where
  small = rel.getLesserOperand() and
  large = rel.getGreaterOperand() and
  rel = l.getCondition().getAChild*() and
+  forall(Expr conv | conv = large.getConversion*() |
+    upperBound(conv).log2() > getComparisonSize(small) * 8
+  ) and
  upperBound(large.getFullyConverted()).log2() > getComparisonSize(small) * 8 and
  // Ignore cases where the smaller type is int or larger
  // These are still bugs, but you should need a very large string or array to
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected
@@ -1,4 +1,3 @@
-| test3.cpp:6:8:6:71 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type int. | test3.cpp:5:34:5:38 | small | small | test3.cpp:6:42:6:70 | ... - ... | ... - ... |
 | test.c:4:14:4:18 | ... < ... | Comparison between $@ of type char and $@ of wider type int. | test.c:3:7:3:7 | c | c | test.c:2:17:2:17 | x | x |
 | test.c:9:14:9:18 | ... > ... | Comparison between $@ of type char and $@ of wider type int. | test.c:8:7:8:7 | c | c | test.c:7:17:7:17 | x | x |
 | test.c:14:14:14:18 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:13:8:13:8 | s | s | test.c:12:17:12:17 | x | x |