hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10398 from MathiasVP/further-work-on-buffer-over-queries

Browse Source 
C++: Further work on buffer-overflow queries
This commit is contained in:
Robert Marsh
2022-09-23 11:06:32 -04:00
committed by GitHub
parent 8c13738199 639aaff9c7
commit c2dfbd47a3
6 changed files with 206 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql
View File

@@ -1,3 +1,13 @@
/**
* @name Off-by-one in array access
* @description TODO
* @kind path-problem
* @problem.severity error
* @id cpp/off-by-one-array-access
* @tags reliability
* security
*/
import cpp
import experimental.semmle.code.cpp.dataflow.ProductFlow
import experimental.semmle.code.cpp.semantic.analysis.RangeAnalysis
@@ -7,6 +17,21 @@ import semmle.code.cpp.ir.IR
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
import semmle.code.cpp.models.interfaces.Allocation
import semmle.code.cpp.ir.IRConfiguration
import DataFlow::PathGraph
// temporary - custom allocator for ffmpeg
class AvBufferAlloc extends AllocationFunction {
AvBufferAlloc() { this.hasGlobalName(["av_mallocz", "av_malloc"]) }
override int getSizeArg() { result = 0 }
}
// temporary - custom allocator for php
class PhpEmalloc extends AllocationFunction {
PhpEmalloc() { this.hasGlobalName(["_emalloc"]) }
override int getSizeArg() { result = 0 }
}
predicate bounded(Instruction i, Bound b, int delta, boolean upper) {
// TODO: reason
@@ -17,18 +42,12 @@ class ArraySizeConfiguration extends ProductFlow::Configuration {
ArraySizeConfiguration() { this = "ArraySizeConfiguration" }
override predicate isSourcePair(DataFlow::Node source1, DataFlow::Node source2) {
exists(GVN sizeGvn |
source1.asConvertedExpr().(AllocationExpr).getSizeExpr() = sizeGvn.getAnExpr() and
source2.asConvertedExpr() = sizeGvn.getAnExpr()
)
source1.asConvertedExpr().(AllocationExpr).getSizeExpr() = source2.asConvertedExpr()
}
override predicate isSinkPair(DataFlow::Node sink1, DataFlow::Node sink2) {
exists(PointerAddInstruction pai, Instruction index, Bound b, int delta |
pai.getRight() = index and
pai.getLeft() = sink1.asInstruction() and
bounded(index, b, delta, true) and
sink2.asInstruction() = b.getInstruction() and
exists(PointerAddInstruction pai, int delta |
isSinkPair1(sink1, sink2, pai, delta) and
(
delta = 0 and
exists(DataFlow::Node paiNode, DataFlow::Node derefNode |
@@ -43,9 +62,22 @@ class ArraySizeConfiguration extends ProductFlow::Configuration {
}
}
pragma[nomagic]
predicate isSinkPair1(
DataFlow::Node sink1, DataFlow::Node sink2, PointerAddInstruction pai, int delta
) {
exists(Instruction index, ValueNumberBound b |
pai.getRight() = index and
pai.getLeft() = sink1.asInstruction() and
bounded(index, b, delta, true) and
sink2.asInstruction() = b.getInstruction()
)
}
from
ArraySizeConfiguration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2,
DataFlow::PathNode sink1, DataFlow2::PathNode sink2
where conf.hasFlowPath(source1, source2, sink1, sink2)
// TODO: pull delta out and display it
select source1, source2, sink1, sink2
select sink1.getNode(), source1, sink1, "Off-by one error allocated at $@ bounded by $@.", source1,
source1.toString(), sink2, sink2.toString()

22
cpp/ql/src/experimental/Likely Bugs/OverrunWriteProductFlow.ql
View File

@@ -1,20 +1,26 @@
/**
* @name Overrunning write
* @description TODO
* @kind path-problem
* @problem.severity error
* @id cpp/overrun-write
* @tags reliability
* security
*/
import cpp
import experimental.semmle.code.cpp.dataflow.ProductFlow
import semmle.code.cpp.ir.IR
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
import semmle.code.cpp.models.interfaces.Allocation
import semmle.code.cpp.models.interfaces.ArrayFunction
import DataFlow::PathGraph
class StringSizeConfiguration extends ProductFlow::Configuration {
StringSizeConfiguration() { this = "StringSizeConfiguration" }
override predicate isSourcePair(DataFlow::Node bufSource, DataFlow::Node sizeSource) {
exists(
GVN sizeGvn // TODO: use-use flow instead of GVN
|
bufSource.asConvertedExpr().(AllocationExpr).getSizeExpr() = sizeGvn.getAnExpr() and
sizeSource.asConvertedExpr() = sizeGvn.getAnExpr()
)
bufSource.asConvertedExpr().(AllocationExpr).getSizeExpr() = sizeSource.asConvertedExpr()
}
override predicate isSinkPair(DataFlow::Node bufSink, DataFlow::Node sizeSink) {
@@ -31,4 +37,6 @@ from
StringSizeConfiguration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2,
DataFlow::PathNode sink1, DataFlow2::PathNode sink2
where conf.hasFlowPath(source1, source2, sink1, sink2)
select source1, source2, sink1, sink2
// TODO: pull delta out and display it
select sink1.getNode(), source1, sink1, "Overrunning write allocated at $@ bounded by $@.", source1,
source1.toString(), sink2, sink2.toString()

35
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/OverrunWriteProductFlow.expected
View File

@@ -1,2 +1,33 @@
| test.cpp:19:19:19:24 | call to malloc | test.cpp:18:17:18:20 | size | test.cpp:26:18:26:23 | Load | test.cpp:26:31:26:39 | Convert |
| test.cpp:19:19:19:24 | call to malloc | test.cpp:18:17:18:20 | size | test.cpp:30:18:30:23 | Load | test.cpp:30:31:30:39 | Convert |
edges
| test.cpp:16:11:16:21 | VariableAddress indirection [string] | test.cpp:24:21:24:31 | Call indirection [string] |
| test.cpp:16:11:16:21 | VariableAddress indirection [string] | test.cpp:34:21:34:31 | Call indirection [string] |
| test.cpp:18:5:18:30 | Store | test.cpp:18:10:18:15 | Load indirection [post update] [string] |
| test.cpp:18:10:18:15 | Load indirection [post update] [string] | test.cpp:16:11:16:21 | VariableAddress indirection [string] |
| test.cpp:18:19:18:24 | call to malloc | test.cpp:18:5:18:30 | Store |
| test.cpp:24:21:24:31 | Call indirection [string] | test.cpp:26:13:26:15 | Load indirection [string] |
| test.cpp:26:13:26:15 | Load indirection [string] | test.cpp:26:18:26:23 | FieldAddress indirection |
| test.cpp:26:18:26:23 | FieldAddress indirection | test.cpp:26:18:26:23 | Load |
| test.cpp:29:32:29:34 | str indirection [string] | test.cpp:30:13:30:15 | Load indirection [string] |
| test.cpp:30:13:30:15 | Load indirection [string] | test.cpp:30:18:30:23 | FieldAddress indirection |
| test.cpp:30:18:30:23 | FieldAddress indirection | test.cpp:30:18:30:23 | Load |
| test.cpp:34:21:34:31 | Call indirection [string] | test.cpp:35:21:35:23 | str indirection [string] |
| test.cpp:35:21:35:23 | str indirection [string] | test.cpp:29:32:29:34 | str indirection [string] |
nodes
| test.cpp:16:11:16:21 | VariableAddress indirection [string] | semmle.label | VariableAddress indirection [string] |
| test.cpp:18:5:18:30 | Store | semmle.label | Store |
| test.cpp:18:10:18:15 | Load indirection [post update] [string] | semmle.label | Load indirection [post update] [string] |
| test.cpp:18:19:18:24 | call to malloc | semmle.label | call to malloc |
| test.cpp:24:21:24:31 | Call indirection [string] | semmle.label | Call indirection [string] |
| test.cpp:26:13:26:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:26:18:26:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:26:18:26:23 | Load | semmle.label | Load |
| test.cpp:29:32:29:34 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:30:13:30:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:30:18:30:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:30:18:30:23 | Load | semmle.label | Load |
| test.cpp:34:21:34:31 | Call indirection [string] | semmle.label | Call indirection [string] |
| test.cpp:35:21:35:23 | str indirection [string] | semmle.label | str indirection [string] |
subpaths
#select
| test.cpp:26:18:26:23 | Load | test.cpp:18:19:18:24 | call to malloc | test.cpp:26:18:26:23 | Load | Overrunning write allocated at $@ bounded by $@. | test.cpp:18:19:18:24 | call to malloc | call to malloc | test.cpp:26:31:26:39 | Convert | Convert |
| test.cpp:30:18:30:23 | Load | test.cpp:18:19:18:24 | call to malloc | test.cpp:30:18:30:23 | Load | Overrunning write allocated at $@ bounded by $@. | test.cpp:18:19:18:24 | call to malloc | call to malloc | test.cpp:30:31:30:39 | Convert | Convert |

2
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/test.cpp
View File

@@ -15,8 +15,8 @@ typedef struct
string_t *mk_string_t(int size) {
string_t *str = (string_t *) malloc(sizeof(string_t));
str->size = size;
str->string = malloc(size);
str->size = size;
return str;
}

132
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected
View File

@@ -1,20 +1,112 @@
| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | Load | test.cpp:5:25:5:28 | Load |
| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | Load | test.cpp:9:26:9:29 | Load |
| test.cpp:4:17:4:22 | call to malloc | test.cpp:5:25:5:28 | size | test.cpp:10:9:10:11 | Load | test.cpp:5:25:5:28 | Load |
| test.cpp:4:17:4:22 | call to malloc | test.cpp:5:25:5:28 | size | test.cpp:10:9:10:11 | Load | test.cpp:9:26:9:29 | Load |
| test.cpp:4:17:4:22 | call to malloc | test.cpp:9:26:9:29 | size | test.cpp:10:9:10:11 | Load | test.cpp:9:26:9:29 | Load |
| test.cpp:22:13:22:18 | call to malloc | test.cpp:21:16:21:19 | size | test.cpp:35:13:35:13 | Load | test.cpp:30:29:30:32 | Load |
| test.cpp:22:13:22:18 | call to malloc | test.cpp:21:16:21:19 | size | test.cpp:35:13:35:13 | Load | test.cpp:34:30:34:33 | Load |
| test.cpp:22:13:22:18 | call to malloc | test.cpp:21:16:21:19 | size | test.cpp:45:13:45:13 | Load | test.cpp:40:29:40:32 | Load |
| test.cpp:22:13:22:18 | call to malloc | test.cpp:21:16:21:19 | size | test.cpp:45:13:45:13 | Load | test.cpp:44:30:44:33 | Load |
| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | Load | test.cpp:55:5:55:19 | Store |
| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | Load | test.cpp:55:5:55:19 | Store |
| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | Load | test.cpp:55:16:55:19 | Load |
| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | Load | test.cpp:56:20:56:23 | Load |
| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | Load | test.cpp:58:29:58:32 | Load |
| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | Load | test.cpp:62:30:62:33 | Load |
| test.cpp:56:13:56:18 | call to malloc | test.cpp:58:29:58:32 | size | test.cpp:63:13:63:13 | Load | test.cpp:58:29:58:32 | Load |
| test.cpp:56:13:56:18 | call to malloc | test.cpp:62:30:62:33 | size | test.cpp:63:13:63:13 | Load | test.cpp:62:30:62:33 | Load |
| test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:83:14:83:14 | Load | test.cpp:82:31:82:34 | Load |
| test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:93:14:93:14 | Load | test.cpp:88:30:88:33 | Load |
| test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:93:14:93:14 | Load | test.cpp:92:31:92:34 | Load |
edges
| test.cpp:4:17:4:22 | call to malloc | test.cpp:6:9:6:11 | Load |
| test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | Load |
| test.cpp:19:9:19:16 | VariableAddress indirection [p] | test.cpp:31:9:31:11 | arr indirection [p] |
| test.cpp:19:9:19:16 | VariableAddress indirection [p] | test.cpp:35:9:35:11 | arr indirection [p] |
| test.cpp:19:9:19:16 | VariableAddress indirection [p] | test.cpp:50:18:50:25 | call to mk_array [p] |
| test.cpp:21:5:21:24 | Store | test.cpp:21:9:21:9 | arr indirection [post update] [p] |
| test.cpp:21:9:21:9 | arr indirection [post update] [p] | test.cpp:19:9:19:16 | VariableAddress indirection [p] |
| test.cpp:21:13:21:18 | call to malloc | test.cpp:21:5:21:24 | Store |
| test.cpp:31:9:31:11 | arr indirection [p] | test.cpp:31:13:31:13 | p |
| test.cpp:31:13:31:13 | p | test.cpp:31:13:31:13 | Load |
| test.cpp:35:9:35:11 | arr indirection [p] | test.cpp:35:13:35:13 | p |
| test.cpp:35:13:35:13 | p | test.cpp:35:13:35:13 | Load |
| test.cpp:39:27:39:29 | arr [p] | test.cpp:41:9:41:11 | arr indirection [p] |
| test.cpp:39:27:39:29 | arr [p] | test.cpp:45:9:45:11 | arr indirection [p] |
| test.cpp:41:9:41:11 | arr indirection [p] | test.cpp:41:13:41:13 | p |
| test.cpp:41:13:41:13 | p | test.cpp:41:13:41:13 | Load |
| test.cpp:45:9:45:11 | arr indirection [p] | test.cpp:45:13:45:13 | p |
| test.cpp:45:13:45:13 | p | test.cpp:45:13:45:13 | Load |
| test.cpp:50:18:50:25 | call to mk_array [p] | test.cpp:39:27:39:29 | arr [p] |
| test.cpp:55:5:55:24 | Store | test.cpp:55:9:55:9 | arr indirection [post update] [p] |
| test.cpp:55:9:55:9 | arr indirection [post update] [p] | test.cpp:59:9:59:11 | arr indirection [p] |
| test.cpp:55:9:55:9 | arr indirection [post update] [p] | test.cpp:63:9:63:11 | arr indirection [p] |
| test.cpp:55:13:55:18 | call to malloc | test.cpp:55:5:55:24 | Store |
| test.cpp:59:9:59:11 | arr indirection [p] | test.cpp:59:13:59:13 | p |
| test.cpp:59:13:59:13 | p | test.cpp:59:13:59:13 | Load |
| test.cpp:63:9:63:11 | arr indirection [p] | test.cpp:63:13:63:13 | p |
| test.cpp:63:13:63:13 | p | test.cpp:63:13:63:13 | Load |
| test.cpp:67:10:67:19 | VariableAddress indirection [p] | test.cpp:76:20:76:29 | Call indirection [p] |
| test.cpp:67:10:67:19 | VariableAddress indirection [p] | test.cpp:98:18:98:27 | call to mk_array_p indirection [p] |
| test.cpp:69:5:69:25 | Store | test.cpp:69:10:69:10 | Load indirection [post update] [p] |
| test.cpp:69:10:69:10 | Load indirection [post update] [p] | test.cpp:67:10:67:19 | VariableAddress indirection [p] |
| test.cpp:69:14:69:19 | call to malloc | test.cpp:69:5:69:25 | Store |
| test.cpp:76:20:76:29 | Call indirection [p] | test.cpp:79:9:79:11 | Load indirection [p] |
| test.cpp:76:20:76:29 | Call indirection [p] | test.cpp:83:9:83:11 | Load indirection [p] |
| test.cpp:79:9:79:11 | Load indirection [p] | test.cpp:79:14:79:14 | p |
| test.cpp:79:14:79:14 | p | test.cpp:79:14:79:14 | Load |
| test.cpp:83:9:83:11 | Load indirection [p] | test.cpp:83:14:83:14 | p |
| test.cpp:83:14:83:14 | p | test.cpp:83:14:83:14 | Load |
| test.cpp:87:28:87:30 | arr indirection [p] | test.cpp:89:9:89:11 | Load indirection [p] |
| test.cpp:87:28:87:30 | arr indirection [p] | test.cpp:93:9:93:11 | Load indirection [p] |
| test.cpp:89:9:89:11 | Load indirection [p] | test.cpp:89:14:89:14 | p |
| test.cpp:89:14:89:14 | p | test.cpp:89:14:89:14 | Load |
| test.cpp:93:9:93:11 | Load indirection [p] | test.cpp:93:14:93:14 | p |
| test.cpp:93:14:93:14 | p | test.cpp:93:14:93:14 | Load |
| test.cpp:98:18:98:27 | call to mk_array_p indirection [p] | test.cpp:87:28:87:30 | arr indirection [p] |
nodes
| test.cpp:4:17:4:22 | call to malloc | semmle.label | call to malloc |
| test.cpp:6:9:6:11 | Load | semmle.label | Load |
| test.cpp:10:9:10:11 | Load | semmle.label | Load |
| test.cpp:19:9:19:16 | VariableAddress indirection [p] | semmle.label | VariableAddress indirection [p] |
| test.cpp:21:5:21:24 | Store | semmle.label | Store |
| test.cpp:21:9:21:9 | arr indirection [post update] [p] | semmle.label | arr indirection [post update] [p] |
| test.cpp:21:13:21:18 | call to malloc | semmle.label | call to malloc |
| test.cpp:31:9:31:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:31:13:31:13 | Load | semmle.label | Load |
| test.cpp:31:13:31:13 | p | semmle.label | p |
| test.cpp:35:9:35:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:35:13:35:13 | Load | semmle.label | Load |
| test.cpp:35:13:35:13 | p | semmle.label | p |
| test.cpp:39:27:39:29 | arr [p] | semmle.label | arr [p] |
| test.cpp:41:9:41:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:41:13:41:13 | Load | semmle.label | Load |
| test.cpp:41:13:41:13 | p | semmle.label | p |
| test.cpp:45:9:45:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:45:13:45:13 | Load | semmle.label | Load |
| test.cpp:45:13:45:13 | p | semmle.label | p |
| test.cpp:50:18:50:25 | call to mk_array [p] | semmle.label | call to mk_array [p] |
| test.cpp:55:5:55:24 | Store | semmle.label | Store |
| test.cpp:55:9:55:9 | arr indirection [post update] [p] | semmle.label | arr indirection [post update] [p] |
| test.cpp:55:13:55:18 | call to malloc | semmle.label | call to malloc |
| test.cpp:59:9:59:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:59:13:59:13 | Load | semmle.label | Load |
| test.cpp:59:13:59:13 | p | semmle.label | p |
| test.cpp:63:9:63:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:63:13:63:13 | Load | semmle.label | Load |
| test.cpp:63:13:63:13 | p | semmle.label | p |
| test.cpp:67:10:67:19 | VariableAddress indirection [p] | semmle.label | VariableAddress indirection [p] |
| test.cpp:69:5:69:25 | Store | semmle.label | Store |
| test.cpp:69:10:69:10 | Load indirection [post update] [p] | semmle.label | Load indirection [post update] [p] |
| test.cpp:69:14:69:19 | call to malloc | semmle.label | call to malloc |
| test.cpp:76:20:76:29 | Call indirection [p] | semmle.label | Call indirection [p] |
| test.cpp:79:9:79:11 | Load indirection [p] | semmle.label | Load indirection [p] |
| test.cpp:79:14:79:14 | Load | semmle.label | Load |
| test.cpp:79:14:79:14 | p | semmle.label | p |
| test.cpp:83:9:83:11 | Load indirection [p] | semmle.label | Load indirection [p] |
| test.cpp:83:14:83:14 | Load | semmle.label | Load |
| test.cpp:83:14:83:14 | p | semmle.label | p |
| test.cpp:87:28:87:30 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:89:9:89:11 | Load indirection [p] | semmle.label | Load indirection [p] |
| test.cpp:89:14:89:14 | Load | semmle.label | Load |
| test.cpp:89:14:89:14 | p | semmle.label | p |
| test.cpp:93:9:93:11 | Load indirection [p] | semmle.label | Load indirection [p] |
| test.cpp:93:14:93:14 | Load | semmle.label | Load |
| test.cpp:93:14:93:14 | p | semmle.label | p |
| test.cpp:98:18:98:27 | call to mk_array_p indirection [p] | semmle.label | call to mk_array_p indirection [p] |
subpaths
#select
| test.cpp:10:9:10:11 | Load | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:5:25:5:28 | Load | Load |
| test.cpp:10:9:10:11 | Load | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:9:26:9:29 | Load | Load |
| test.cpp:35:13:35:13 | Load | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:30:29:30:32 | Load | Load |
| test.cpp:35:13:35:13 | Load | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:34:30:34:33 | Load | Load |
| test.cpp:45:13:45:13 | Load | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:40:29:40:32 | Load | Load |
| test.cpp:45:13:45:13 | Load | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:44:30:44:33 | Load | Load |
| test.cpp:63:13:63:13 | Load | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:5:56:19 | Store | Store |
| test.cpp:63:13:63:13 | Load | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:5:56:19 | Store | Store |
| test.cpp:63:13:63:13 | Load | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:16:56:19 | Load | Load |
| test.cpp:63:13:63:13 | Load | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:58:29:58:32 | Load | Load |
| test.cpp:63:13:63:13 | Load | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:62:30:62:33 | Load | Load |
| test.cpp:83:14:83:14 | Load | test.cpp:69:14:69:19 | call to malloc | test.cpp:83:14:83:14 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:82:31:82:34 | Load | Load |
| test.cpp:93:14:93:14 | Load | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:88:30:88:33 | Load | Load |
| test.cpp:93:14:93:14 | Load | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:92:31:92:34 | Load | Load |

6
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp
View File

@@ -18,8 +18,8 @@ typedef struct {
array_t mk_array(int size) {
array_t arr;
arr.size = size;
arr.p = malloc(size);
arr.size = size;
return arr;
}
@@ -52,8 +52,8 @@ void test3(int size) {
void test4(int size) {
array_t arr;
arr.size = size;
arr.p = malloc(size);
arr.size = size;
for (int i = 0; i < arr.size; i++) {
arr.p[i] = 0; // GOOD
@@ -66,8 +66,8 @@ void test4(int size) {
array_t *mk_array_p(int size) {
array_t *arr = (array_t*) malloc(sizeof(array_t));
arr->size = size;
arr->p = malloc(size);
arr->size = size;
return arr;
}