Update IfStatementAdditionOverflow.ql

2025-12-24 04:36:35 +01:00 · 2023-03-12 01:05:18 -05:00
parent 08f04d5386
commit dc09c9218e
1 changed files with 9 additions and 4 deletions
--- a/cpp/ql/src/experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
@@ -1,8 +1,13 @@
 /**
 * @name Integer addition may overflow inside if statement
- * @description "if (a+b>c) a=c-b" was detected where "a+b" may potentially
- *              produce an integer overflow (or wraparound). The code can be
- *              rewritten to "if (a>c-b) a=c-b" which avoids the overflow.
+ * @description Detects "if (a+b>c) a=c-b", which incorrectly implements
+ *              a = min(a,c-b) if a+b overflows. Should be replaced by
+ *              "if (a>c-b) a=c-b". Also detects "if (b+a>c) a=c-b"
+ *              (swapped terms in addition), if (a+b>c) { a=c-b }"
+ *              (assignment inside block), "c<a+b" (swapped operands) and
+ *              ">=", "<", "<=" instead of ">" (all operators). This
+ *              integer overflow is the root cause of the buffer overflow
+ *              in the SHA-3 reference implementation (CVE-2022-37454).
 * @kind problem
 * @problem.severity warning
 * @id cpp/if-statement-addition-overflow
@@ -34,4 +39,4 @@ where ifstmt.getCondition() = relop and
  (hashCons(addexpr.getRightOperand()) = hashCons(assignexpr.getLValue()) and
  globalValueNumber(addexpr.getLeftOperand()) = globalValueNumber(subexpr.getRightOperand()))) and
  globalValueNumber(relop.getAnOperand()) = globalValueNumber(subexpr.getLeftOperand())
-select ifstmt, "Integer addition may overflow inside if statement."
+select ifstmt, "\"if (a+b>c) a=c-b\" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as \"if (a>c-b) a=c-b\" which avoids the overflow.", addexpr, "addition"