hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2577 from MathiasVP/multiplication-overflow-not-possible-due-to-type-width

Browse Source 
Multiplication overflow not possible due to type width
This commit is contained in:
Geoffrey White
2020-01-08 17:18:33 +00:00
committed by GitHub
parent ad0ad3a3e4 100ace532f
commit cf5dd85944
3 changed files with 150 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.c
View File

@@ -92,3 +92,37 @@ void use_printf(float f, double d)
size_t three_chars(unsigned char a, unsigned char b, unsigned char c) {
return a * b * c; // at most 16581375
}
void g(unsigned char uchar1, unsigned char uchar2, unsigned char uchar3, int i) {
unsigned long ulong1, ulong2, ulong3, ulong4, ulong5;
ulong1 = (uchar1 + 1) * (uchar2 + 1); // GOOD
ulong2 = (i + 1) * (uchar2 + 1); // BAD
ulong3 = (uchar1 + 1) * (uchar2 + 1) * (uchar3 + 1); // GOOD
ulong4 = (uchar1 + (uchar1 + 1)) * (uchar2 + 1); // GOOD
ulong5 = (i + (uchar1 + 1)) * (uchar2 + 1); // BAD
ulong5 = (uchar1 + 1073741824) * uchar2; // BAD [NOT DETECTED]
ulong5 = (uchar1 + (1 << 30)) * uchar2; // BAD [NOT DETECTED]
ulong5 = uchar1 * uchar1 * uchar1 * uchar2 * uchar2 * uchar2; // BAD [NOT DETECTED]
ulong5 = (uchar1 + (unsigned short)(-1)) * (uchar2 + (unsigned short)(-1)); // BAD
}
struct A {
short s;
int i;
};
void g2(struct A* a, short n) {
unsigned long ulong1, ulong2;
ulong1 = (a->s - 1) * ((*a).s + 1); // GOOD
ulong2 = a->i * (*a).i; // BAD
}
int global_i;
unsigned char global_uchar;
void g3() {
unsigned long ulong1, ulong2;
ulong1 = global_i * global_i; // BAD
ulong2 = (global_uchar + 1) * 2; // GOOD
}

5
cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.expected
View File

@@ -7,3 +7,8 @@
| IntMultToLong.c:61:23:61:33 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'long long'. |
| IntMultToLong.c:63:23:63:40 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'long long'. |
| IntMultToLong.c:75:9:75:13 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'size_t'. |
| IntMultToLong.c:99:14:99:35 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'unsigned long'. |
| IntMultToLong.c:103:14:103:46 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'unsigned long'. |
| IntMultToLong.c:108:14:108:78 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'unsigned long'. |
| IntMultToLong.c:119:14:119:26 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'unsigned long'. |
| IntMultToLong.c:126:14:126:32 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'unsigned long'. |