Merge pull request #2647 from geoffw0/modelpure

CPP: Improve strlen model
2025-12-21 03:06:31 +01:00 · 2020-01-21 09:42:10 +01:00
parent 79811fcccd 4f02183dc2
commit cdcd3ed748
8 changed files with 54 additions and 43 deletions
--- a/cpp/ql/src/semmle/code/cpp/commons/NullTermination.qll
+++ b/cpp/ql/src/semmle/code/cpp/commons/NullTermination.qll
@@ -80,14 +80,6 @@ predicate functionArgumentMustBeNullTerminated(Function f, int i) {
  f.(ArrayFunction).hasArrayInput(i)
  or
  f instanceof StrcatFunction and i = 0
-  or
-  f.hasName("strlen") and i = 0
-  or
-  f.hasName("strcmp") and i in [0 .. 1]
-  or
-  f.hasName("strchr") and i = 0
-  or
-  f.hasName("strstr") and i in [0 .. 1]
 }

 /**
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll
@@ -30,7 +30,16 @@ class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunction, SideE
        name = "strtol" or
        name = "strtoll" or
        name = "strtoq" or
-        name = "strtoul"
+        name = "strtoul" or
+        name = "wcslen"
+      )
+      or
+      hasGlobalName(name) and
+      (
+        name = "_mbslen" or
+        name = "_mbslen_l" or
+        name = "_mbstrlen" or
+        name = "_mbstrlen_l"
      )
    )
  }
@@ -39,6 +48,10 @@ class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunction, SideE
    getParameter(bufParam).getUnspecifiedType() instanceof PointerType
  }

+  override predicate hasArrayWithNullTerminator(int bufParam) {
+    getParameter(bufParam).getUnspecifiedType() instanceof PointerType
+  }
+
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    exists(ParameterIndex i |
      input.isParameter(i) and