C++: Use range analysis in Overflow.qll

2026-04-28 18:25:24 +02:00 · 2021-04-13 16:15:37 +02:00
parent 2d618d6b92
commit d1457995dd
4 changed files with 7 additions and 9 deletions
--- a/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
@@ -5,6 +5,7 @@

 import cpp
 import semmle.code.cpp.controlflow.Dominance
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis

 /**
 * Holds if the value of `use` is guarded using `abs`.
@@ -94,9 +95,10 @@ predicate guardedGreater(Operation e, Expr use) {
 VariableAccess varUse(LocalScopeVariable v) { result = v.getAnAccess() }

 /**
- * Holds if `e` is not guarded against overflow by `use`.
+ * Holds if `e` potentially overflows and `use` is an operand of `e` that is not guarded.
 */
 predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
+  convertedExprMightOverflow(e) and
  use = e.getAnOperand() and
  exists(LocalScopeVariable v | use.getTarget() = v |
    // overflow possible if large
@@ -115,9 +117,10 @@ predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
 }

 /**
- * Holds if `e` is not guarded against underflow by `use`.
+ * Holds if `e` potentially underflows and `use` is an operand of `e` that is not guarded.
 */
 predicate missingGuardAgainstUnderflow(Operation e, VariableAccess use) {
+  convertedExprMightOverflowNegatively(e) and
  use = e.getAnOperand() and
  exists(LocalScopeVariable v | use.getTarget() = v |
    // underflow possible if use is left operand and small