C++: Cover variable sized member arrays without a size in Buffer.qll

Currently the extractor incorrectly emits 0 for the array `data` below: ``` struct myStruct { // c ... char data[]; // v }; ``` This will change in the future, and no size will be emitted anymore. This commit makes sure `Buffer.qll` handles arrays without sizes.
2025-12-17 01:03:14 +01:00 · 2022-04-22 12:42:27 +02:00
parent c015ef6ef4
commit dee0f09197
2 changed files with 20 additions and 4 deletions
--- a/cpp/ql/lib/change-notes/2022-04-22-no-size-array.md
+++ b/cpp/ql/lib/change-notes/2022-04-22-no-size-array.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `semmle.code.cpp.commons.Buffer` library has been enhanced to handle array members of classes that do not specify a size.
--- a/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
@@ -10,11 +10,18 @@ import semmle.code.cpp.dataflow.DataFlow
 *   char data[1]; // v
 * };
 * ```
- * This requires that `v` is an array of size 0 or 1.
+ * or
+ * ```
+ * struct myStruct { // c
+ *   int amount;
+ *   char data[]; // v
+ * };
+ * ```
+ * This requires that `v` is an array of size 0 or 1, or that the array has no size.
 */
 predicate memberMayBeVarSize(Class c, MemberVariable v) {
  c = v.getDeclaringType() and
-  v.getUnspecifiedType().(ArrayType).getArraySize() <= 1
+  exists(ArrayType t | t = v.getUnspecifiedType() | not t.getArraySize() > 1)
 }

 /**
@@ -40,13 +47,18 @@ int getBufferSize(Expr bufferExpr, Element why) {
    result = why.(Expr).getType().(ArrayType).getSize() and
    not exists(bufferVar.getUnspecifiedType().(ArrayType).getSize())
    or
-    exists(Class parentClass, VariableAccess parentPtr |
+    exists(Class parentClass, VariableAccess parentPtr, int bufferSize |
      // buffer is the parentPtr->bufferVar of a 'variable size struct'
      memberMayBeVarSize(parentClass, bufferVar) and
      why = bufferVar and
      parentPtr = bufferExpr.(VariableAccess).getQualifier() and
      parentPtr.getTarget().getUnspecifiedType().(PointerType).getBaseType() = parentClass and
-      result = getBufferSize(parentPtr, _) + bufferVar.getType().getSize() - parentClass.getSize()
+      (
+        if exists(bufferVar.getType().getSize())
+        then bufferSize = bufferVar.getType().getSize()
+        else bufferSize = 0
+      ) and
+      result = getBufferSize(parentPtr, _) + bufferSize - parentClass.getSize()
    )
  )
  or