C++: Fix some code duplication.

2026-04-29 02:35:15 +02:00 · 2022-01-17 16:13:48 +00:00
parent 065043b311
commit d475101286
2 changed files with 18 additions and 14 deletions
--- a/cpp/ql/lib/semmle/code/cpp/commons/NullTermination.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/NullTermination.qll
@@ -101,6 +101,21 @@ predicate functionArgumentMustBeNullTerminated(Function f, int i) {
  f instanceof StrcatFunction and i = 0
 }

+/**
+ * Holds if `arg` is a string format argument to a formatting function call
+ * `ffc`.
+ */
+predicate formatArgumentMustBeNullTerminated(FormattingFunctionCall ffc, Expr arg) {
+  // String argument to a formatting function (such as `printf`)
+  exists(int n, FormatLiteral fl |
+    ffc.getConversionArgument(n) = arg and
+    fl = ffc.getFormat() and
+    fl.getConversionType(n) instanceof PointerType and // `%s`, `%ws` etc
+    not fl.getConversionType(n) instanceof VoidPointerType and // exclude: `%p`
+    not fl.hasPrecision(n) // exclude: `%.*s`
+  )
+}
+
 /**
 * Holds if `va` is a variable access where the contents must be null terminated.
 */
@@ -113,13 +128,7 @@ predicate variableMustBeNullTerminated(VariableAccess va) {
    )
    or
    // String argument to a formatting function (such as `printf`)
-    exists(int n, FormatLiteral fl |
-      fc.(FormattingFunctionCall).getConversionArgument(n) = va and
-      fl = fc.(FormattingFunctionCall).getFormat() and
-      fl.getConversionType(n) instanceof PointerType and // `%s`, `%ws` etc
-      not fl.getConversionType(n) instanceof VoidPointerType and // exclude: `%p`
-      not fl.hasPrecision(n) // exclude: `%.*s`
-    )
+    formatArgumentMustBeNullTerminated(fc, va)
    or
    // Call to a wrapper function that requires null termination
    // (not itself adding a null terminator)
--- a/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+++ b/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
@@ -19,6 +19,7 @@ import cpp
 import semmle.code.cpp.dataflow.DataFlow
 import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.Allocation
+import semmle.code.cpp.commons.NullTermination

 predicate terminationProblem(AllocationExpr malloc, string msg) {
  // malloc(strlen(...))
@@ -35,13 +36,7 @@ predicate terminationProblem(AllocationExpr malloc, string msg) {
      af.hasArrayWithUnknownSize(arg)
      or
      // flows into string argument to a formatting function (such as `printf`)
-      exists(int n, FormatLiteral fl |
-        fc.getArgument(arg) = fc.(FormattingFunctionCall).getConversionArgument(n) and
-        fl = fc.(FormattingFunctionCall).getFormat() and
-        fl.getConversionType(n) instanceof PointerType and // `%s`, `%ws` etc
-        not fl.getConversionType(n) instanceof VoidPointerType and // exclude: `%p`
-        not fl.hasPrecision(n) // exclude: `%.*s`
-      )
+      formatArgumentMustBeNullTerminated(fc, fc.getArgument(arg))
    )
  ) and
  msg = "This allocation does not include space to null-terminate the string."