Merge pull request #17037 from geoffw0/sizecheck

C++: Fix issue with cpp/suspicious-allocation-size
2025-12-18 01:33:15 +01:00 · 2024-07-23 14:47:17 +01:00
parent 1ed5af1d6a 437c679266
commit e467cc033e
5 changed files with 43 additions and 4 deletions
--- a/cpp/ql/src/Critical/SizeCheck2.ql
+++ b/cpp/ql/src/Critical/SizeCheck2.ql
@@ -15,6 +15,7 @@

 import cpp
 import semmle.code.cpp.models.Models
+import semmle.code.cpp.commons.Buffer

 predicate baseType(AllocationExpr alloc, Type base) {
  exists(PointerType pointer |
@@ -30,7 +31,8 @@ predicate baseType(AllocationExpr alloc, Type base) {
 }

 predicate decideOnSize(Type t, int size) {
-  // If the codebase has more than one type with the same name, it can have more than one size.
+  // If the codebase has more than one type with the same name, it can have more than one size. For
+  // most purposes in this query, we use the smallest.
  size = min(t.getSize())
 }

@@ -45,7 +47,8 @@ where
    size = 0 or
    (allocated / size) * size = allocated
  ) and
-  not basesize > allocated // covered by SizeCheck.ql
+  not basesize > allocated and // covered by SizeCheck.ql
+  not memberMayBeVarSize(base.getUnspecifiedType(), _) // exclude variable size types
 select alloc,
  "Allocated memory (" + allocated.toString() + " bytes) is not a multiple of the size of '" +
    base.getName() + "' (" + basesize.toString() + " bytes)."
--- a/cpp/ql/src/change-notes/2024-07-22-suspicious-allocation-size.md
+++ b/cpp/ql/src/change-notes/2024-07-22-suspicious-allocation-size.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `cpp/suspicious-allocation-size` ("Not enough memory allocated for array of pointer type") query no longer produces false positives on "variable size" `struct`s.