Merge pull request #923 from geoffw0/potentialbufferoverflow

CPP: Deprecate PotentialBufferOverflow.ql
2026-04-28 18:25:24 +02:00 · 2019-03-04 08:11:27 +00:00
parent b8f8ed55e6 25a5ff5e55
commit c49c23068a
16 changed files with 35 additions and 24 deletions
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.expected
@@ -0,0 +1,4 @@
+| tests.cpp:258:2:258:8 | call to sprintf | This 'call to sprintf' operation requires 17 bytes but the destination is only 10 bytes. |
+| tests.cpp:259:2:259:8 | call to sprintf | This 'call to sprintf' operation requires 17 bytes but the destination is only 10 bytes. |
+| tests.cpp:272:2:272:8 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
+| tests.cpp:273:2:273:8 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.qlref
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-120/OverrunWrite.ql
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWriteFloat.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWriteFloat.expected
@@ -0,0 +1 @@
+| tests.cpp:287:2:287:8 | call to sprintf | This 'call to sprintf' operation may require 318 bytes because of float conversions, but the target is only 64 bytes. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWriteFloat.qlref
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWriteFloat.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-120/OverrunWriteFloat.ql
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/PotentialBufferOverflow.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/PotentialBufferOverflow.expected
@@ -1,4 +0,0 @@
-| tests.cpp:258:2:258:8 | call to sprintf | This conversion may yield a string of length 17, which exceeds the allocated buffer size of 10 |
-| tests.cpp:259:2:259:8 | call to sprintf | This conversion may yield a string of length 17, which exceeds the allocated buffer size of 10 |
-| tests.cpp:272:2:272:8 | call to sprintf | This conversion may yield a string of length 9, which exceeds the allocated buffer size of 8 |
-| tests.cpp:273:2:273:8 | call to sprintf | This conversion may yield a string of length 9, which exceeds the allocated buffer size of 8 |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/PotentialBufferOverflow.qlref
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/PotentialBufferOverflow.qlref
@@ -1 +0,0 @@
-Likely Bugs/Memory Management/PotentialBufferOverflow.ql
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp
@@ -272,3 +272,20 @@ void test4()
 	sprintf(buffer8, "12345678"); // BAD: buffer overflow
 	sprintf(buffer8_ptr, "12345678"); // BAD: buffer overflow
 }
+
+typedef void *va_list;
+int vsprintf(char *s, const char *format, va_list arg);
+
+void test5(va_list args, float f)
+{
+	char buffer10[10], buffer64[64];
+	char *buffer4 = new char[4 * sizeof(char)];
+
+	vsprintf(buffer10, "123456789", args); // GOOD
+	vsprintf(buffer10, "1234567890", args); // BAD: buffer overflow [NOT DETECTED]
+
+	sprintf(buffer64, "%f", f); // BAD: potential buffer overflow
+
+	vsprintf(buffer4, "123", args); // GOOD
+	vsprintf(buffer4, "1234", args); // BAD: buffer overflow [NOT DETECTED]
+}
				`@@ -0,0 +1 @@`
				`\| tests.cpp:287:2:287:8 \| call to sprintf \| This 'call to sprintf' operation may require 318 bytes because of float conversions, but the target is only 64 bytes. \|`
				`@@ -1 +0,0 @@`
				`Likely Bugs/Memory Management/PotentialBufferOverflow.ql`