C++: Clean up SprintfBW and comment Sprintf.

2026-04-29 02:35:15 +02:00 · 2020-06-23 14:58:07 +01:00
parent c681e6999d
commit c3d275d0e7
2 changed files with 12 additions and 6 deletions
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Printf.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Printf.qll
@@ -66,12 +66,19 @@ class Sprintf extends FormattingFunction {
  Sprintf() {
    this instanceof TopLevelFunction and
    (
+      // sprintf(dst, format, args...)
      hasGlobalOrStdName("sprintf") or
+      //  _sprintf_l(dst, format, locale, args...)
      hasGlobalName("_sprintf_l") or
+      // __swprintf_l(dst, format, locale, args...)
      hasGlobalName("__swprintf_l") or
+      // wsprintf(dst, format, args...)
      hasGlobalOrStdName("wsprintf") or
+      // g_strdup_printf(format, ...)
      hasGlobalName("g_strdup_printf") or
+      // g_sprintf(dst, format, ...)
      hasGlobalName("g_sprintf") or
+      // __builtin___sprintf_chk(dst, flag, os, format, ...)
      hasGlobalName("__builtin___sprintf_chk")
    ) and
    not exists(getDefinition().getFile().getRelativePath())
--- a/cpp/ql/src/semmle/code/cpp/security/BufferWrite.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/BufferWrite.qll
@@ -181,8 +181,10 @@ class StrCatBW extends BufferWriteCall {
 * A call to a variant of `sprintf`.
 */
 class SprintfBW extends BufferWriteCall {
+  FormattingFunction f;
+
  SprintfBW() {
-    exists(TopLevelFunction fn, string name | fn = getTarget() and name = fn.getName() |
+    exists(string name | f = getTarget().(TopLevelFunction) and name = f.getName() |
      /*
       * C sprintf variants:
       */
@@ -218,10 +220,7 @@ class SprintfBW extends BufferWriteCall {
  }

  override Type getBufferType() {
-    exists(FormattingFunction f |
-      f = this.getTarget() and
-      result = f.getParameter(f.getFormatParameterIndex()).getUnspecifiedType()
-    )
+    result = f.getParameter(f.getFormatParameterIndex()).getUnspecifiedType()
  }

  override Expr getASource() {
@@ -230,7 +229,7 @@ class SprintfBW extends BufferWriteCall {
    result = this.(FormattingFunctionCall).getFormatArgument(_)
  }

-  override Expr getDest() { result = getArgument(0) }
+  override Expr getDest() { result = getArgument(f.getOutputParameterIndex()) }

  override int getMaxData() {
    exists(FormatLiteral fl |