Use Strcpy.qll in StrncpyFlippedArgs.ql

As a result, the query gets access to more types of strncpy-like functions, as demonstrated by test.cpp, which now "fails" (i.e. works) for the new test cases instroduced in the previous commit.
2025-12-21 19:26:31 +01:00 · 2022-08-09 15:59:41 +02:00
parent 554aea1bb8
commit df419003ad
2 changed files with 8 additions and 32 deletions
--- a/Management/StrncpyFlippedArgs.ql
+++ b/Management/StrncpyFlippedArgs.ql
@@ -18,6 +18,7 @@
 import cpp
 import Buffer
 private import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+private import semmle.code.cpp.models.implementations.Strcpy

 predicate isSizePlus(Expr e, BufferSizeExpr baseSize, int plus) {
  // baseSize
@@ -41,33 +42,6 @@ predicate isSizePlus(Expr e, BufferSizeExpr baseSize, int plus) {
  )
 }

-predicate strncpyFunction(Function f, int argDest, int argSrc, int argLimit) {
-  exists(string name | name = f.getName() |
-    name =
-      [
-        "strcpy_s", // strcpy_s(dst, max_amount, src)
-        "wcscpy_s", // wcscpy_s(dst, max_amount, src)
-        "_mbscpy_s" // _mbscpy_s(dst, max_amount, src)
-      ] and
-    argDest = 0 and
-    argSrc = 2 and
-    argLimit = 1
-    or
-    name =
-      [
-        "strncpy", // strncpy(dst, src, max_amount)
-        "strncpy_l", // strncpy_l(dst, src, max_amount, locale)
-        "wcsncpy", // wcsncpy(dst, src, max_amount)
-        "_wcsncpy_l", // _wcsncpy_l(dst, src, max_amount, locale)
-        "_mbsncpy", // _mbsncpy(dst, src, max_amount)
-        "_mbsncpy_l" // _mbsncpy_l(dst, src, max_amount, locale)
-      ] and
-    argDest = 0 and
-    argSrc = 1 and
-    argLimit = 2
-  )
-}
-
 string nthString(int num) {
  num = 0 and
  result = "first"
@@ -96,11 +70,13 @@ int arrayExprFixedSize(Expr e) {
 }

 from
-  Function f, FunctionCall fc, int argDest, int argSrc, int argLimit, int charSize, Access copyDest,
+  StrcpyFunction f, FunctionCall fc, int argDest, int argSrc, int argLimit, int charSize, Access copyDest,
  Access copySource, string name, string nth
 where
  f = fc.getTarget() and
-  strncpyFunction(f, argDest, argSrc, argLimit) and
+  argDest = f.getParamDest() and
+  argSrc = f.getParamSrc() and
+  argLimit = f.getParamSize() and
  copyDest = fc.getArgument(argDest) and
  copySource = fc.getArgument(argSrc) and
  // Some of the functions operate on a larger char type, like `wchar_t`, so we
--- a/Management/StrncpyFlippedArgs/test.cpp
+++ b/Management/StrncpyFlippedArgs/test.cpp
@@ -102,10 +102,10 @@ void test9()
 	wchar_t buf2[20];
 	const wchar_t *str = L"01234567890123456789";

-	wcsxfrm_l(buf1, str, sizeof(buf1), nullptr); // (bad, but not a strncpyflippedargs bug)
-	wcsxfrm_l(buf1, str, sizeof(buf1) / sizeof(wchar_t), nullptr);
+	wcsxfrm_l(buf1, str, sizeof(buf1), nullptr);					// BAD (but not a StrncpyFlippedArgs bug)
+	wcsxfrm_l(buf1, str, sizeof(buf1) / sizeof(wchar_t), nullptr);	// GOOD
 	wcsxfrm_l(buf1, str, wcslen(str), nullptr);						// BAD
 	wcsxfrm_l(buf1, str, wcslen(str) + 1, nullptr);					// BAD
 	wcsxfrm_l(buf1, buf2, sizeof(buf2), nullptr);					// BAD
-	wcsxfrm_l(buf1, buf2, sizeof(buf2) / sizeof(wchar_t), nullptr); // BAD [NOT DETECTED]
+	wcsxfrm_l(buf1, buf2, sizeof(buf2) / sizeof(wchar_t), nullptr); // BAD
 }