hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 19:55:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Add false positive result from pointer-difference expressions.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2021-05-14 13:47:23 +02:00
parent 5031b73f35
commit c1d41b3169
2 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
View File

@@ -87,6 +87,12 @@ edges
| test.cpp:295:18:295:21 | Chi | test.cpp:298:10:298:27 | ... * ... |
| test.cpp:295:18:295:21 | Chi | test.cpp:298:10:298:27 | ... * ... |
| test.cpp:295:18:295:21 | get_size output argument [array content] | test.cpp:295:18:295:21 | Chi |
| test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | (size_t)... |
| test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | (size_t)... |
| test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | offset |
| test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | offset |
| test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | offset |
| test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | offset |
nodes
| test.cpp:39:21:39:24 | argv | semmle.label | argv |
| test.cpp:39:21:39:24 | argv | semmle.label | argv |
@@ -179,6 +185,13 @@ nodes
| test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:321:15:321:20 | call to getenv | semmle.label | call to getenv |
| test.cpp:321:15:321:20 | call to getenv | semmle.label | call to getenv |
| test.cpp:324:9:324:14 | (size_t)... | semmle.label | (size_t)... |
| test.cpp:324:9:324:14 | (size_t)... | semmle.label | (size_t)... |
| test.cpp:324:9:324:14 | offset | semmle.label | offset |
| test.cpp:324:9:324:14 | offset | semmle.label | offset |
| test.cpp:324:9:324:14 | offset | semmle.label | offset |
#select
| test.cpp:42:31:42:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
@@ -196,3 +209,4 @@ nodes
| test.cpp:253:4:253:9 | call to malloc | test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:249:20:249:25 | call to getenv | user input (getenv) |
| test.cpp:281:4:281:9 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:281:11:281:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
| test.cpp:298:3:298:8 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:298:10:298:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
| test.cpp:324:2:324:7 | call to malloc | test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | offset | This allocation size is derived from $@ and might overflow | test.cpp:321:15:321:20 | call to getenv | user input (getenv) |

9
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
View File

@@ -314,3 +314,12 @@ void equality_cases() {
malloc(size * sizeof(int)); // GOOD
}
}
char * strstr(char *, const char *);
void ptr_diff_case() {
char* user = getenv("USER");
char* admin_begin_pos = strstr(user, "ADMIN");
int offset = admin_begin_pos ? user - admin_begin_pos : 0;
malloc(offset); // GOOD [FALSE POSITIVE]
}