mirror of
https://github.com/github/codeql.git
synced 2026-04-29 10:45:15 +02:00
Merge branch 'main' into reuse-even-more-nodes
This commit is contained in:
Mathias Vorreiter Pedersen
@@ -6,3 +6,5 @@
|
||||
| test.cpp:39:23:39:28 | ... == ... | This '==' operator has no effect. The assignment ('=') operator was probably intended. |
|
||||
| test.cpp:42:23:42:28 | ... == ... | This '==' operator has no effect. The assignment ('=') operator was probably intended. |
|
||||
| test.cpp:51:13:51:13 | call to operator== | This '==' operator has no effect. The assignment ('=') operator was probably intended. |
|
||||
| test.cpp:72:3:72:8 | ... == ... | This '==' operator has no effect. The assignment ('=') operator was probably intended. |
|
||||
| test.cpp:73:3:73:12 | ... == ... | This '==' operator has no effect. The assignment ('=') operator was probably intended. |
|
||||
|
||||
@@ -61,3 +61,14 @@ template<typename T1, typename T2>
|
||||
auto sfinaeTrick(T1 x1, T2 x2) -> decltype(x1 == x2, bool()) { // GOOD
|
||||
return x1 == x2;
|
||||
}
|
||||
|
||||
void report_error(const char*);
|
||||
|
||||
#define DOES_NOT_THROW(E) do { try { E; } catch (...) { report_error(""); } } while(0)
|
||||
#define ID(X) (X)
|
||||
|
||||
void test_inside_macro_expansion(int x, int y) {
|
||||
DOES_NOT_THROW(x == y); // GOOD
|
||||
x == y; // BAD
|
||||
x == ID(y); // BAD
|
||||
}
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
testFailures
|
||||
failures
|
||||
@@ -0,0 +1,29 @@
|
||||
import cpp
|
||||
import semmle.code.cpp.security.InvalidPointerDereference.AllocationToInvalidPointer
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
import semmle.code.cpp.ir.IR
|
||||
import semmle.code.cpp.dataflow.new.DataFlow
|
||||
|
||||
module AllocationToInvalidPointerTest implements TestSig {
|
||||
string getARelevantTag() { result = "alloc" }
|
||||
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(DataFlow::Node allocation, PointerAddInstruction pai, int delta |
|
||||
pointerAddInstructionHasBounds(allocation, pai, _, delta) and
|
||||
location = pai.getLocation() and
|
||||
element = pai.toString() and
|
||||
tag = "alloc"
|
||||
|
|
||||
delta > 0 and
|
||||
value = "L" + allocation.getLocation().getStartLine().toString() + "+" + delta.toString()
|
||||
or
|
||||
delta = 0 and
|
||||
value = "L" + allocation.getLocation().getStartLine().toString()
|
||||
or
|
||||
delta < 0 and
|
||||
value = "L" + allocation.getLocation().getStartLine().toString() + "-" + (-delta).toString()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
import MakeTest<AllocationToInvalidPointerTest>
|
||||
@@ -0,0 +1,363 @@
|
||||
edges
|
||||
| test.cpp:4:15:4:20 | call to malloc | test.cpp:5:15:5:22 | ... + ... |
|
||||
| test.cpp:4:15:4:20 | call to malloc | test.cpp:5:15:5:22 | ... + ... |
|
||||
| test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | * ... |
|
||||
| test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | * ... |
|
||||
| test.cpp:4:15:4:20 | call to malloc | test.cpp:8:14:8:21 | * ... |
|
||||
| test.cpp:5:15:5:22 | ... + ... | test.cpp:5:15:5:22 | ... + ... |
|
||||
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... |
|
||||
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... |
|
||||
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... |
|
||||
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... |
|
||||
| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:14:8:21 | * ... |
|
||||
| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:14:8:21 | * ... |
|
||||
| test.cpp:6:14:6:15 | * ... | test.cpp:8:14:8:21 | * ... |
|
||||
| test.cpp:16:15:16:20 | call to malloc | test.cpp:20:14:20:21 | * ... |
|
||||
| test.cpp:28:15:28:20 | call to malloc | test.cpp:29:15:29:28 | ... + ... |
|
||||
| test.cpp:28:15:28:20 | call to malloc | test.cpp:29:15:29:28 | ... + ... |
|
||||
| test.cpp:28:15:28:20 | call to malloc | test.cpp:30:14:30:15 | * ... |
|
||||
| test.cpp:28:15:28:20 | call to malloc | test.cpp:30:14:30:15 | * ... |
|
||||
| test.cpp:28:15:28:20 | call to malloc | test.cpp:32:14:32:21 | * ... |
|
||||
| test.cpp:29:15:29:28 | ... + ... | test.cpp:29:15:29:28 | ... + ... |
|
||||
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... |
|
||||
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... |
|
||||
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... |
|
||||
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... |
|
||||
| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:14:32:21 | * ... |
|
||||
| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:14:32:21 | * ... |
|
||||
| test.cpp:30:14:30:15 | * ... | test.cpp:32:14:32:21 | * ... |
|
||||
| test.cpp:40:15:40:20 | call to malloc | test.cpp:41:15:41:28 | ... + ... |
|
||||
| test.cpp:40:15:40:20 | call to malloc | test.cpp:41:15:41:28 | ... + ... |
|
||||
| test.cpp:40:15:40:20 | call to malloc | test.cpp:42:14:42:15 | * ... |
|
||||
| test.cpp:40:15:40:20 | call to malloc | test.cpp:42:14:42:15 | * ... |
|
||||
| test.cpp:40:15:40:20 | call to malloc | test.cpp:44:14:44:21 | * ... |
|
||||
| test.cpp:41:15:41:28 | ... + ... | test.cpp:41:15:41:28 | ... + ... |
|
||||
| test.cpp:41:15:41:28 | ... + ... | test.cpp:42:14:42:15 | * ... |
|
||||
| test.cpp:41:15:41:28 | ... + ... | test.cpp:42:14:42:15 | * ... |
|
||||
| test.cpp:41:15:41:28 | ... + ... | test.cpp:42:14:42:15 | * ... |
|
||||
| test.cpp:41:15:41:28 | ... + ... | test.cpp:42:14:42:15 | * ... |
|
||||
| test.cpp:41:15:41:28 | ... + ... | test.cpp:44:14:44:21 | * ... |
|
||||
| test.cpp:41:15:41:28 | ... + ... | test.cpp:44:14:44:21 | * ... |
|
||||
| test.cpp:42:14:42:15 | * ... | test.cpp:44:14:44:21 | * ... |
|
||||
| test.cpp:51:33:51:35 | end | test.cpp:60:34:60:37 | mk_array output argument |
|
||||
| test.cpp:52:19:52:24 | call to malloc | test.cpp:53:5:53:23 | ... = ... |
|
||||
| test.cpp:52:19:52:24 | call to malloc | test.cpp:53:12:53:23 | ... + ... |
|
||||
| test.cpp:53:5:53:23 | ... = ... | test.cpp:51:33:51:35 | end |
|
||||
| test.cpp:53:12:53:23 | ... + ... | test.cpp:53:5:53:23 | ... = ... |
|
||||
| test.cpp:60:34:60:37 | mk_array output argument | test.cpp:67:9:67:14 | ... = ... |
|
||||
| test.cpp:194:23:194:28 | call to malloc | test.cpp:195:17:195:23 | ... + ... |
|
||||
| test.cpp:194:23:194:28 | call to malloc | test.cpp:195:17:195:23 | ... + ... |
|
||||
| test.cpp:194:23:194:28 | call to malloc | test.cpp:201:5:201:19 | ... = ... |
|
||||
| test.cpp:195:17:195:23 | ... + ... | test.cpp:195:17:195:23 | ... + ... |
|
||||
| test.cpp:195:17:195:23 | ... + ... | test.cpp:201:5:201:19 | ... = ... |
|
||||
| test.cpp:195:17:195:23 | ... + ... | test.cpp:201:5:201:19 | ... = ... |
|
||||
| test.cpp:205:23:205:28 | call to malloc | test.cpp:206:17:206:23 | ... + ... |
|
||||
| test.cpp:205:23:205:28 | call to malloc | test.cpp:206:17:206:23 | ... + ... |
|
||||
| test.cpp:205:23:205:28 | call to malloc | test.cpp:213:5:213:13 | ... = ... |
|
||||
| test.cpp:206:17:206:23 | ... + ... | test.cpp:206:17:206:23 | ... + ... |
|
||||
| test.cpp:206:17:206:23 | ... + ... | test.cpp:213:5:213:13 | ... = ... |
|
||||
| test.cpp:206:17:206:23 | ... + ... | test.cpp:213:5:213:13 | ... = ... |
|
||||
| test.cpp:231:18:231:30 | new[] | test.cpp:232:3:232:20 | ... = ... |
|
||||
| test.cpp:238:20:238:32 | new[] | test.cpp:239:5:239:22 | ... = ... |
|
||||
| test.cpp:248:24:248:30 | call to realloc | test.cpp:254:9:254:16 | ... = ... |
|
||||
| test.cpp:260:13:260:24 | new[] | test.cpp:261:14:261:21 | ... + ... |
|
||||
| test.cpp:260:13:260:24 | new[] | test.cpp:261:14:261:21 | ... + ... |
|
||||
| test.cpp:260:13:260:24 | new[] | test.cpp:264:13:264:14 | * ... |
|
||||
| test.cpp:260:13:260:24 | new[] | test.cpp:264:13:264:14 | * ... |
|
||||
| test.cpp:261:14:261:21 | ... + ... | test.cpp:261:14:261:21 | ... + ... |
|
||||
| test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | * ... |
|
||||
| test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | * ... |
|
||||
| test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | * ... |
|
||||
| test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | * ... |
|
||||
| test.cpp:264:13:264:14 | * ... | test.cpp:264:13:264:14 | * ... |
|
||||
| test.cpp:264:13:264:14 | * ... | test.cpp:264:13:264:14 | * ... |
|
||||
| test.cpp:270:13:270:24 | new[] | test.cpp:271:14:271:21 | ... + ... |
|
||||
| test.cpp:270:13:270:24 | new[] | test.cpp:271:14:271:21 | ... + ... |
|
||||
| test.cpp:270:13:270:24 | new[] | test.cpp:274:5:274:10 | ... = ... |
|
||||
| test.cpp:271:14:271:21 | ... + ... | test.cpp:271:14:271:21 | ... + ... |
|
||||
| test.cpp:271:14:271:21 | ... + ... | test.cpp:274:5:274:10 | ... = ... |
|
||||
| test.cpp:271:14:271:21 | ... + ... | test.cpp:274:5:274:10 | ... = ... |
|
||||
| test.cpp:355:14:355:27 | new[] | test.cpp:356:15:356:23 | ... + ... |
|
||||
| test.cpp:355:14:355:27 | new[] | test.cpp:356:15:356:23 | ... + ... |
|
||||
| test.cpp:355:14:355:27 | new[] | test.cpp:357:24:357:30 | ... + ... |
|
||||
| test.cpp:355:14:355:27 | new[] | test.cpp:357:24:357:30 | ... + ... |
|
||||
| test.cpp:355:14:355:27 | new[] | test.cpp:358:14:358:26 | * ... |
|
||||
| test.cpp:355:14:355:27 | new[] | test.cpp:359:14:359:32 | * ... |
|
||||
| test.cpp:356:15:356:23 | ... + ... | test.cpp:356:15:356:23 | ... + ... |
|
||||
| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | * ... |
|
||||
| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | * ... |
|
||||
| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | * ... |
|
||||
| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | * ... |
|
||||
| test.cpp:357:24:357:30 | ... + ... | test.cpp:357:24:357:30 | ... + ... |
|
||||
| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:14:358:26 | * ... |
|
||||
| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:14:358:26 | * ... |
|
||||
| test.cpp:357:24:357:30 | ... + ... | test.cpp:359:14:359:32 | * ... |
|
||||
| test.cpp:357:24:357:30 | ... + ... | test.cpp:359:14:359:32 | * ... |
|
||||
| test.cpp:377:14:377:27 | new[] | test.cpp:378:15:378:23 | ... + ... |
|
||||
| test.cpp:377:14:377:27 | new[] | test.cpp:378:15:378:23 | ... + ... |
|
||||
| test.cpp:377:14:377:27 | new[] | test.cpp:381:5:381:9 | ... ++ |
|
||||
| test.cpp:377:14:377:27 | new[] | test.cpp:381:5:381:9 | ... ++ |
|
||||
| test.cpp:377:14:377:27 | new[] | test.cpp:384:13:384:16 | * ... |
|
||||
| test.cpp:378:15:378:23 | ... + ... | test.cpp:378:15:378:23 | ... + ... |
|
||||
| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | * ... |
|
||||
| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | * ... |
|
||||
| test.cpp:381:5:381:9 | ... ++ | test.cpp:381:5:381:9 | ... ++ |
|
||||
| test.cpp:381:5:381:9 | ... ++ | test.cpp:384:13:384:16 | * ... |
|
||||
| test.cpp:410:14:410:27 | new[] | test.cpp:411:15:411:23 | & ... |
|
||||
| test.cpp:410:14:410:27 | new[] | test.cpp:411:15:411:23 | & ... |
|
||||
| test.cpp:410:14:410:27 | new[] | test.cpp:413:5:413:8 | ... ++ |
|
||||
| test.cpp:410:14:410:27 | new[] | test.cpp:413:5:413:8 | ... ++ |
|
||||
| test.cpp:410:14:410:27 | new[] | test.cpp:415:7:415:15 | ... = ... |
|
||||
| test.cpp:411:15:411:23 | & ... | test.cpp:411:15:411:23 | & ... |
|
||||
| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | ... = ... |
|
||||
| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | ... = ... |
|
||||
| test.cpp:413:5:413:8 | ... ++ | test.cpp:413:5:413:8 | ... ++ |
|
||||
| test.cpp:413:5:413:8 | ... ++ | test.cpp:415:7:415:15 | ... = ... |
|
||||
| test.cpp:413:5:413:8 | ... ++ | test.cpp:415:7:415:15 | ... = ... |
|
||||
| test.cpp:421:14:421:27 | new[] | test.cpp:422:15:422:23 | & ... |
|
||||
| test.cpp:421:14:421:27 | new[] | test.cpp:422:15:422:23 | & ... |
|
||||
| test.cpp:421:14:421:27 | new[] | test.cpp:424:5:424:8 | ... ++ |
|
||||
| test.cpp:421:14:421:27 | new[] | test.cpp:424:5:424:8 | ... ++ |
|
||||
| test.cpp:421:14:421:27 | new[] | test.cpp:426:7:426:15 | ... = ... |
|
||||
| test.cpp:422:15:422:23 | & ... | test.cpp:422:15:422:23 | & ... |
|
||||
| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | ... = ... |
|
||||
| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | ... = ... |
|
||||
| test.cpp:424:5:424:8 | ... ++ | test.cpp:424:5:424:8 | ... ++ |
|
||||
| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:15 | ... = ... |
|
||||
| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:15 | ... = ... |
|
||||
| test.cpp:432:14:432:27 | new[] | test.cpp:433:15:433:23 | & ... |
|
||||
| test.cpp:432:14:432:27 | new[] | test.cpp:433:15:433:23 | & ... |
|
||||
| test.cpp:432:14:432:27 | new[] | test.cpp:436:5:436:8 | ... ++ |
|
||||
| test.cpp:432:14:432:27 | new[] | test.cpp:436:5:436:8 | ... ++ |
|
||||
| test.cpp:432:14:432:27 | new[] | test.cpp:438:7:438:15 | ... = ... |
|
||||
| test.cpp:433:15:433:23 | & ... | test.cpp:433:15:433:23 | & ... |
|
||||
| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | ... = ... |
|
||||
| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | ... = ... |
|
||||
| test.cpp:436:5:436:8 | ... ++ | test.cpp:436:5:436:8 | ... ++ |
|
||||
| test.cpp:436:5:436:8 | ... ++ | test.cpp:438:7:438:15 | ... = ... |
|
||||
| test.cpp:436:5:436:8 | ... ++ | test.cpp:438:7:438:15 | ... = ... |
|
||||
| test.cpp:444:14:444:27 | new[] | test.cpp:445:15:445:23 | & ... |
|
||||
| test.cpp:444:14:444:27 | new[] | test.cpp:445:15:445:23 | & ... |
|
||||
| test.cpp:444:14:444:27 | new[] | test.cpp:448:5:448:8 | ... ++ |
|
||||
| test.cpp:444:14:444:27 | new[] | test.cpp:448:5:448:8 | ... ++ |
|
||||
| test.cpp:444:14:444:27 | new[] | test.cpp:450:7:450:15 | ... = ... |
|
||||
| test.cpp:445:15:445:23 | & ... | test.cpp:445:15:445:23 | & ... |
|
||||
| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | ... = ... |
|
||||
| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | ... = ... |
|
||||
| test.cpp:448:5:448:8 | ... ++ | test.cpp:448:5:448:8 | ... ++ |
|
||||
| test.cpp:448:5:448:8 | ... ++ | test.cpp:450:7:450:15 | ... = ... |
|
||||
| test.cpp:448:5:448:8 | ... ++ | test.cpp:450:7:450:15 | ... = ... |
|
||||
| test.cpp:480:14:480:27 | new[] | test.cpp:481:15:481:23 | & ... |
|
||||
| test.cpp:480:14:480:27 | new[] | test.cpp:481:15:481:23 | & ... |
|
||||
| test.cpp:480:14:480:27 | new[] | test.cpp:484:5:484:8 | ... ++ |
|
||||
| test.cpp:480:14:480:27 | new[] | test.cpp:484:5:484:8 | ... ++ |
|
||||
| test.cpp:480:14:480:27 | new[] | test.cpp:486:7:486:15 | ... = ... |
|
||||
| test.cpp:481:15:481:23 | & ... | test.cpp:481:15:481:23 | & ... |
|
||||
| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | ... = ... |
|
||||
| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | ... = ... |
|
||||
| test.cpp:484:5:484:8 | ... ++ | test.cpp:484:5:484:8 | ... ++ |
|
||||
| test.cpp:484:5:484:8 | ... ++ | test.cpp:486:7:486:15 | ... = ... |
|
||||
| test.cpp:484:5:484:8 | ... ++ | test.cpp:486:7:486:15 | ... = ... |
|
||||
| test.cpp:543:14:543:27 | new[] | test.cpp:548:5:548:19 | ... = ... |
|
||||
| test.cpp:554:14:554:27 | new[] | test.cpp:559:5:559:19 | ... = ... |
|
||||
| test.cpp:642:14:642:31 | new[] | test.cpp:647:5:647:19 | ... = ... |
|
||||
| test.cpp:695:13:695:26 | new[] | test.cpp:698:5:698:10 | ... += ... |
|
||||
| test.cpp:695:13:695:26 | new[] | test.cpp:698:5:698:10 | ... += ... |
|
||||
| test.cpp:698:5:698:10 | ... += ... | test.cpp:698:5:698:10 | ... += ... |
|
||||
| test.cpp:698:5:698:10 | ... += ... | test.cpp:701:15:701:16 | * ... |
|
||||
| test.cpp:705:18:705:18 | q | test.cpp:705:18:705:18 | q |
|
||||
| test.cpp:705:18:705:18 | q | test.cpp:706:12:706:13 | * ... |
|
||||
| test.cpp:705:18:705:18 | q | test.cpp:706:12:706:13 | * ... |
|
||||
| test.cpp:711:13:711:26 | new[] | test.cpp:714:11:714:11 | q |
|
||||
| test.cpp:714:11:714:11 | q | test.cpp:705:18:705:18 | q |
|
||||
| test.cpp:730:12:730:28 | new[] | test.cpp:732:16:732:26 | ... + ... |
|
||||
| test.cpp:730:12:730:28 | new[] | test.cpp:732:16:732:26 | ... + ... |
|
||||
| test.cpp:730:12:730:28 | new[] | test.cpp:733:5:733:12 | ... = ... |
|
||||
| test.cpp:732:16:732:26 | ... + ... | test.cpp:732:16:732:26 | ... + ... |
|
||||
| test.cpp:732:16:732:26 | ... + ... | test.cpp:733:5:733:12 | ... = ... |
|
||||
| test.cpp:732:16:732:26 | ... + ... | test.cpp:733:5:733:12 | ... = ... |
|
||||
| test.cpp:754:18:754:31 | new[] | test.cpp:767:16:767:29 | access to array |
|
||||
| test.cpp:754:18:754:31 | new[] | test.cpp:767:16:767:29 | access to array |
|
||||
| test.cpp:754:18:754:31 | new[] | test.cpp:772:16:772:29 | access to array |
|
||||
| test.cpp:754:18:754:31 | new[] | test.cpp:772:16:772:29 | access to array |
|
||||
| test.cpp:781:14:781:27 | new[] | test.cpp:786:18:786:27 | access to array |
|
||||
| test.cpp:792:60:792:62 | end | test.cpp:800:40:800:43 | mk_array_no_field_flow output argument |
|
||||
| test.cpp:792:60:792:62 | end | test.cpp:832:40:832:43 | mk_array_no_field_flow output argument |
|
||||
| test.cpp:793:14:793:19 | call to malloc | test.cpp:794:5:794:24 | ... = ... |
|
||||
| test.cpp:793:14:793:19 | call to malloc | test.cpp:794:12:794:24 | ... + ... |
|
||||
| test.cpp:794:5:794:24 | ... = ... | test.cpp:792:60:792:62 | end |
|
||||
| test.cpp:794:12:794:24 | ... + ... | test.cpp:794:5:794:24 | ... = ... |
|
||||
| test.cpp:800:40:800:43 | mk_array_no_field_flow output argument | test.cpp:807:7:807:12 | ... = ... |
|
||||
| test.cpp:815:52:815:54 | end | test.cpp:815:52:815:54 | end |
|
||||
| test.cpp:815:52:815:54 | end | test.cpp:821:7:821:12 | ... = ... |
|
||||
| test.cpp:815:52:815:54 | end | test.cpp:821:7:821:12 | ... = ... |
|
||||
| test.cpp:832:40:832:43 | mk_array_no_field_flow output argument | test.cpp:833:37:833:39 | end |
|
||||
| test.cpp:833:37:833:39 | end | test.cpp:815:52:815:54 | end |
|
||||
nodes
|
||||
| test.cpp:4:15:4:20 | call to malloc | semmle.label | call to malloc |
|
||||
| test.cpp:5:15:5:22 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:5:15:5:22 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:6:14:6:15 | * ... | semmle.label | * ... |
|
||||
| test.cpp:6:14:6:15 | * ... | semmle.label | * ... |
|
||||
| test.cpp:8:14:8:21 | * ... | semmle.label | * ... |
|
||||
| test.cpp:16:15:16:20 | call to malloc | semmle.label | call to malloc |
|
||||
| test.cpp:20:14:20:21 | * ... | semmle.label | * ... |
|
||||
| test.cpp:28:15:28:20 | call to malloc | semmle.label | call to malloc |
|
||||
| test.cpp:29:15:29:28 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:29:15:29:28 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:30:14:30:15 | * ... | semmle.label | * ... |
|
||||
| test.cpp:30:14:30:15 | * ... | semmle.label | * ... |
|
||||
| test.cpp:32:14:32:21 | * ... | semmle.label | * ... |
|
||||
| test.cpp:40:15:40:20 | call to malloc | semmle.label | call to malloc |
|
||||
| test.cpp:41:15:41:28 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:41:15:41:28 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:42:14:42:15 | * ... | semmle.label | * ... |
|
||||
| test.cpp:42:14:42:15 | * ... | semmle.label | * ... |
|
||||
| test.cpp:44:14:44:21 | * ... | semmle.label | * ... |
|
||||
| test.cpp:51:33:51:35 | end | semmle.label | end |
|
||||
| test.cpp:52:19:52:24 | call to malloc | semmle.label | call to malloc |
|
||||
| test.cpp:53:5:53:23 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:53:12:53:23 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:60:34:60:37 | mk_array output argument | semmle.label | mk_array output argument |
|
||||
| test.cpp:67:9:67:14 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:194:23:194:28 | call to malloc | semmle.label | call to malloc |
|
||||
| test.cpp:195:17:195:23 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:195:17:195:23 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:201:5:201:19 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:205:23:205:28 | call to malloc | semmle.label | call to malloc |
|
||||
| test.cpp:206:17:206:23 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:206:17:206:23 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:213:5:213:13 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:231:18:231:30 | new[] | semmle.label | new[] |
|
||||
| test.cpp:232:3:232:20 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:238:20:238:32 | new[] | semmle.label | new[] |
|
||||
| test.cpp:239:5:239:22 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:248:24:248:30 | call to realloc | semmle.label | call to realloc |
|
||||
| test.cpp:254:9:254:16 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:260:13:260:24 | new[] | semmle.label | new[] |
|
||||
| test.cpp:261:14:261:21 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:261:14:261:21 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:264:13:264:14 | * ... | semmle.label | * ... |
|
||||
| test.cpp:264:13:264:14 | * ... | semmle.label | * ... |
|
||||
| test.cpp:270:13:270:24 | new[] | semmle.label | new[] |
|
||||
| test.cpp:271:14:271:21 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:271:14:271:21 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:274:5:274:10 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:355:14:355:27 | new[] | semmle.label | new[] |
|
||||
| test.cpp:356:15:356:23 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:356:15:356:23 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:357:24:357:30 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:357:24:357:30 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:358:14:358:26 | * ... | semmle.label | * ... |
|
||||
| test.cpp:359:14:359:32 | * ... | semmle.label | * ... |
|
||||
| test.cpp:377:14:377:27 | new[] | semmle.label | new[] |
|
||||
| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:381:5:381:9 | ... ++ | semmle.label | ... ++ |
|
||||
| test.cpp:381:5:381:9 | ... ++ | semmle.label | ... ++ |
|
||||
| test.cpp:384:13:384:16 | * ... | semmle.label | * ... |
|
||||
| test.cpp:410:14:410:27 | new[] | semmle.label | new[] |
|
||||
| test.cpp:411:15:411:23 | & ... | semmle.label | & ... |
|
||||
| test.cpp:411:15:411:23 | & ... | semmle.label | & ... |
|
||||
| test.cpp:413:5:413:8 | ... ++ | semmle.label | ... ++ |
|
||||
| test.cpp:413:5:413:8 | ... ++ | semmle.label | ... ++ |
|
||||
| test.cpp:415:7:415:15 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:421:14:421:27 | new[] | semmle.label | new[] |
|
||||
| test.cpp:422:15:422:23 | & ... | semmle.label | & ... |
|
||||
| test.cpp:422:15:422:23 | & ... | semmle.label | & ... |
|
||||
| test.cpp:424:5:424:8 | ... ++ | semmle.label | ... ++ |
|
||||
| test.cpp:424:5:424:8 | ... ++ | semmle.label | ... ++ |
|
||||
| test.cpp:426:7:426:15 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:432:14:432:27 | new[] | semmle.label | new[] |
|
||||
| test.cpp:433:15:433:23 | & ... | semmle.label | & ... |
|
||||
| test.cpp:433:15:433:23 | & ... | semmle.label | & ... |
|
||||
| test.cpp:436:5:436:8 | ... ++ | semmle.label | ... ++ |
|
||||
| test.cpp:436:5:436:8 | ... ++ | semmle.label | ... ++ |
|
||||
| test.cpp:438:7:438:15 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:444:14:444:27 | new[] | semmle.label | new[] |
|
||||
| test.cpp:445:15:445:23 | & ... | semmle.label | & ... |
|
||||
| test.cpp:445:15:445:23 | & ... | semmle.label | & ... |
|
||||
| test.cpp:448:5:448:8 | ... ++ | semmle.label | ... ++ |
|
||||
| test.cpp:448:5:448:8 | ... ++ | semmle.label | ... ++ |
|
||||
| test.cpp:450:7:450:15 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:480:14:480:27 | new[] | semmle.label | new[] |
|
||||
| test.cpp:481:15:481:23 | & ... | semmle.label | & ... |
|
||||
| test.cpp:481:15:481:23 | & ... | semmle.label | & ... |
|
||||
| test.cpp:484:5:484:8 | ... ++ | semmle.label | ... ++ |
|
||||
| test.cpp:484:5:484:8 | ... ++ | semmle.label | ... ++ |
|
||||
| test.cpp:486:7:486:15 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:543:14:543:27 | new[] | semmle.label | new[] |
|
||||
| test.cpp:548:5:548:19 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:554:14:554:27 | new[] | semmle.label | new[] |
|
||||
| test.cpp:559:5:559:19 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:642:14:642:31 | new[] | semmle.label | new[] |
|
||||
| test.cpp:647:5:647:19 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:695:13:695:26 | new[] | semmle.label | new[] |
|
||||
| test.cpp:698:5:698:10 | ... += ... | semmle.label | ... += ... |
|
||||
| test.cpp:698:5:698:10 | ... += ... | semmle.label | ... += ... |
|
||||
| test.cpp:701:15:701:16 | * ... | semmle.label | * ... |
|
||||
| test.cpp:705:18:705:18 | q | semmle.label | q |
|
||||
| test.cpp:705:18:705:18 | q | semmle.label | q |
|
||||
| test.cpp:706:12:706:13 | * ... | semmle.label | * ... |
|
||||
| test.cpp:711:13:711:26 | new[] | semmle.label | new[] |
|
||||
| test.cpp:714:11:714:11 | q | semmle.label | q |
|
||||
| test.cpp:730:12:730:28 | new[] | semmle.label | new[] |
|
||||
| test.cpp:732:16:732:26 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:732:16:732:26 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:733:5:733:12 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:754:18:754:31 | new[] | semmle.label | new[] |
|
||||
| test.cpp:767:16:767:29 | access to array | semmle.label | access to array |
|
||||
| test.cpp:767:16:767:29 | access to array | semmle.label | access to array |
|
||||
| test.cpp:772:16:772:29 | access to array | semmle.label | access to array |
|
||||
| test.cpp:772:16:772:29 | access to array | semmle.label | access to array |
|
||||
| test.cpp:781:14:781:27 | new[] | semmle.label | new[] |
|
||||
| test.cpp:786:18:786:27 | access to array | semmle.label | access to array |
|
||||
| test.cpp:792:60:792:62 | end | semmle.label | end |
|
||||
| test.cpp:793:14:793:19 | call to malloc | semmle.label | call to malloc |
|
||||
| test.cpp:794:5:794:24 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:794:12:794:24 | ... + ... | semmle.label | ... + ... |
|
||||
| test.cpp:800:40:800:43 | mk_array_no_field_flow output argument | semmle.label | mk_array_no_field_flow output argument |
|
||||
| test.cpp:807:7:807:12 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:815:52:815:54 | end | semmle.label | end |
|
||||
| test.cpp:815:52:815:54 | end | semmle.label | end |
|
||||
| test.cpp:821:7:821:12 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:832:40:832:43 | mk_array_no_field_flow output argument | semmle.label | mk_array_no_field_flow output argument |
|
||||
| test.cpp:833:37:833:39 | end | semmle.label | end |
|
||||
subpaths
|
||||
#select
|
||||
| test.cpp:6:14:6:15 | * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
|
||||
| test.cpp:8:14:8:21 | * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:8:14:8:21 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
|
||||
| test.cpp:20:14:20:21 | * ... | test.cpp:16:15:16:20 | call to malloc | test.cpp:20:14:20:21 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:16:15:16:20 | call to malloc | call to malloc | test.cpp:17:19:17:22 | size | size |
|
||||
| test.cpp:30:14:30:15 | * ... | test.cpp:28:15:28:20 | call to malloc | test.cpp:30:14:30:15 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:28:15:28:20 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
|
||||
| test.cpp:32:14:32:21 | * ... | test.cpp:28:15:28:20 | call to malloc | test.cpp:32:14:32:21 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:28:15:28:20 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
|
||||
| test.cpp:42:14:42:15 | * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:42:14:42:15 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
|
||||
| test.cpp:44:14:44:21 | * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:44:14:44:21 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
|
||||
| test.cpp:67:9:67:14 | ... = ... | test.cpp:52:19:52:24 | call to malloc | test.cpp:67:9:67:14 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:52:19:52:24 | call to malloc | call to malloc | test.cpp:53:20:53:23 | size | size |
|
||||
| test.cpp:201:5:201:19 | ... = ... | test.cpp:194:23:194:28 | call to malloc | test.cpp:201:5:201:19 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:194:23:194:28 | call to malloc | call to malloc | test.cpp:195:21:195:23 | len | len |
|
||||
| test.cpp:213:5:213:13 | ... = ... | test.cpp:205:23:205:28 | call to malloc | test.cpp:213:5:213:13 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:205:23:205:28 | call to malloc | call to malloc | test.cpp:206:21:206:23 | len | len |
|
||||
| test.cpp:232:3:232:20 | ... = ... | test.cpp:231:18:231:30 | new[] | test.cpp:232:3:232:20 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:231:18:231:30 | new[] | new[] | test.cpp:232:11:232:15 | index | index |
|
||||
| test.cpp:239:5:239:22 | ... = ... | test.cpp:238:20:238:32 | new[] | test.cpp:239:5:239:22 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:238:20:238:32 | new[] | new[] | test.cpp:239:13:239:17 | index | index |
|
||||
| test.cpp:254:9:254:16 | ... = ... | test.cpp:248:24:248:30 | call to realloc | test.cpp:254:9:254:16 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:248:24:248:30 | call to realloc | call to realloc | test.cpp:254:11:254:11 | i | i |
|
||||
| test.cpp:264:13:264:14 | * ... | test.cpp:260:13:260:24 | new[] | test.cpp:264:13:264:14 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:260:13:260:24 | new[] | new[] | test.cpp:261:19:261:21 | len | len |
|
||||
| test.cpp:274:5:274:10 | ... = ... | test.cpp:270:13:270:24 | new[] | test.cpp:274:5:274:10 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:270:13:270:24 | new[] | new[] | test.cpp:271:19:271:21 | len | len |
|
||||
| test.cpp:358:14:358:26 | * ... | test.cpp:355:14:355:27 | new[] | test.cpp:358:14:358:26 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
|
||||
| test.cpp:359:14:359:32 | * ... | test.cpp:355:14:355:27 | new[] | test.cpp:359:14:359:32 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 2. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
|
||||
| test.cpp:384:13:384:16 | * ... | test.cpp:377:14:377:27 | new[] | test.cpp:384:13:384:16 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:377:14:377:27 | new[] | new[] | test.cpp:378:20:378:23 | size | size |
|
||||
| test.cpp:415:7:415:15 | ... = ... | test.cpp:410:14:410:27 | new[] | test.cpp:415:7:415:15 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:410:14:410:27 | new[] | new[] | test.cpp:411:19:411:22 | size | size |
|
||||
| test.cpp:426:7:426:15 | ... = ... | test.cpp:421:14:421:27 | new[] | test.cpp:426:7:426:15 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:421:14:421:27 | new[] | new[] | test.cpp:422:19:422:22 | size | size |
|
||||
| test.cpp:438:7:438:15 | ... = ... | test.cpp:432:14:432:27 | new[] | test.cpp:438:7:438:15 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:432:14:432:27 | new[] | new[] | test.cpp:433:19:433:22 | size | size |
|
||||
| test.cpp:450:7:450:15 | ... = ... | test.cpp:444:14:444:27 | new[] | test.cpp:450:7:450:15 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:444:14:444:27 | new[] | new[] | test.cpp:445:19:445:22 | size | size |
|
||||
| test.cpp:486:7:486:15 | ... = ... | test.cpp:480:14:480:27 | new[] | test.cpp:486:7:486:15 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@ + 498. | test.cpp:480:14:480:27 | new[] | new[] | test.cpp:481:19:481:22 | size | size |
|
||||
| test.cpp:548:5:548:19 | ... = ... | test.cpp:543:14:543:27 | new[] | test.cpp:548:5:548:19 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:543:14:543:27 | new[] | new[] | test.cpp:548:8:548:14 | src_pos | src_pos |
|
||||
| test.cpp:559:5:559:19 | ... = ... | test.cpp:554:14:554:27 | new[] | test.cpp:559:5:559:19 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:554:14:554:27 | new[] | new[] | test.cpp:559:8:559:14 | src_pos | src_pos |
|
||||
| test.cpp:647:5:647:19 | ... = ... | test.cpp:642:14:642:31 | new[] | test.cpp:647:5:647:19 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:642:14:642:31 | new[] | new[] | test.cpp:647:8:647:14 | src_pos | src_pos |
|
||||
| test.cpp:701:15:701:16 | * ... | test.cpp:695:13:695:26 | new[] | test.cpp:701:15:701:16 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:695:13:695:26 | new[] | new[] | test.cpp:696:19:696:22 | size | size |
|
||||
| test.cpp:706:12:706:13 | * ... | test.cpp:711:13:711:26 | new[] | test.cpp:706:12:706:13 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:711:13:711:26 | new[] | new[] | test.cpp:712:19:712:22 | size | size |
|
||||
| test.cpp:733:5:733:12 | ... = ... | test.cpp:730:12:730:28 | new[] | test.cpp:733:5:733:12 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:730:12:730:28 | new[] | new[] | test.cpp:732:21:732:25 | ... + ... | ... + ... |
|
||||
| test.cpp:767:16:767:29 | access to array | test.cpp:754:18:754:31 | new[] | test.cpp:767:16:767:29 | access to array | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:754:18:754:31 | new[] | new[] | test.cpp:767:22:767:28 | ... + ... | ... + ... |
|
||||
| test.cpp:767:16:767:29 | access to array | test.cpp:754:18:754:31 | new[] | test.cpp:767:16:767:29 | access to array | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:754:18:754:31 | new[] | new[] | test.cpp:772:22:772:28 | ... + ... | ... + ... |
|
||||
| test.cpp:772:16:772:29 | access to array | test.cpp:754:18:754:31 | new[] | test.cpp:772:16:772:29 | access to array | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:754:18:754:31 | new[] | new[] | test.cpp:767:22:767:28 | ... + ... | ... + ... |
|
||||
| test.cpp:772:16:772:29 | access to array | test.cpp:754:18:754:31 | new[] | test.cpp:772:16:772:29 | access to array | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:754:18:754:31 | new[] | new[] | test.cpp:772:22:772:28 | ... + ... | ... + ... |
|
||||
| test.cpp:786:18:786:27 | access to array | test.cpp:781:14:781:27 | new[] | test.cpp:786:18:786:27 | access to array | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:781:14:781:27 | new[] | new[] | test.cpp:786:20:786:26 | ... + ... | ... + ... |
|
||||
| test.cpp:807:7:807:12 | ... = ... | test.cpp:793:14:793:19 | call to malloc | test.cpp:807:7:807:12 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:793:14:793:19 | call to malloc | call to malloc | test.cpp:794:21:794:24 | size | size |
|
||||
| test.cpp:821:7:821:12 | ... = ... | test.cpp:793:14:793:19 | call to malloc | test.cpp:821:7:821:12 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:793:14:793:19 | call to malloc | call to malloc | test.cpp:794:21:794:24 | size | size |
|
||||
@@ -0,0 +1 @@
|
||||
Security/CWE/CWE-193/InvalidPointerDeref.ql
|
||||
@@ -0,0 +1,2 @@
|
||||
testFailures
|
||||
failures
|
||||
@@ -0,0 +1,81 @@
|
||||
import cpp
|
||||
import semmle.code.cpp.security.InvalidPointerDereference.InvalidPointerToDereference
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
import semmle.code.cpp.ir.IR
|
||||
import semmle.code.cpp.dataflow.new.DataFlow
|
||||
|
||||
string case3(DataFlow::Node derefSource, DataFlow::Node derefSink, DataFlow::Node operation) {
|
||||
operationIsOffBy(_, _, derefSource, derefSink, _, operation, _) and
|
||||
not exists(case2(_, _, operation)) and
|
||||
not exists(case1(_, _, operation)) and
|
||||
exists(int derefSourceLine, int derefSinkLine, int operationLine |
|
||||
derefSourceLine = derefSource.getLocation().getStartLine() and
|
||||
derefSinkLine = derefSink.getLocation().getStartLine() and
|
||||
operationLine = operation.getLocation().getStartLine() and
|
||||
derefSourceLine != derefSinkLine and
|
||||
derefSinkLine != operationLine and
|
||||
result = "L" + derefSourceLine + "->L" + derefSinkLine + "->L" + operationLine
|
||||
)
|
||||
}
|
||||
|
||||
string case2(DataFlow::Node derefSource, DataFlow::Node derefSink, DataFlow::Node operation) {
|
||||
operationIsOffBy(_, _, derefSource, derefSink, _, operation, _) and
|
||||
not exists(case1(_, _, operation)) and
|
||||
exists(int derefSourceLine, int derefSinkLine, int operationLine |
|
||||
derefSourceLine = derefSource.getLocation().getStartLine() and
|
||||
derefSinkLine = derefSink.getLocation().getStartLine() and
|
||||
operationLine = operation.getLocation().getStartLine() and
|
||||
derefSourceLine = derefSinkLine and
|
||||
derefSinkLine != operationLine and
|
||||
result = "L" + derefSourceLine + "->L" + operationLine
|
||||
)
|
||||
}
|
||||
|
||||
string case1(DataFlow::Node derefSource, DataFlow::Node derefSink, DataFlow::Node operation) {
|
||||
operationIsOffBy(_, _, derefSource, derefSink, _, operation, _) and
|
||||
exists(int derefSourceLine, int derefSinkLine, int operationLine |
|
||||
derefSourceLine = derefSource.getLocation().getStartLine() and
|
||||
derefSinkLine = derefSink.getLocation().getStartLine() and
|
||||
operationLine = operation.getLocation().getStartLine() and
|
||||
derefSourceLine = derefSinkLine and
|
||||
derefSinkLine = operationLine and
|
||||
result = "L" + derefSourceLine
|
||||
)
|
||||
}
|
||||
|
||||
module InvalidPointerToDereferenceTest implements TestSig {
|
||||
string getARelevantTag() { result = "deref" }
|
||||
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(
|
||||
DataFlow::Node derefSource, DataFlow::Node derefSink, DataFlow::Node operation, int delta,
|
||||
string value1, string value2
|
||||
|
|
||||
operationIsOffBy(_, _, derefSource, derefSink, _, operation, delta) and
|
||||
location = operation.getLocation() and
|
||||
element = operation.toString() and
|
||||
tag = "deref" and
|
||||
value = value1 + value2
|
||||
|
|
||||
(
|
||||
value1 = case3(derefSource, derefSink, operation)
|
||||
or
|
||||
value1 = case2(derefSource, derefSink, operation)
|
||||
or
|
||||
value1 = case1(derefSource, derefSink, operation)
|
||||
) and
|
||||
(
|
||||
delta > 0 and
|
||||
value2 = "+" + delta
|
||||
or
|
||||
delta = 0 and
|
||||
value2 = ""
|
||||
or
|
||||
delta < 0 and
|
||||
value2 = "-" + (-delta)
|
||||
)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
import MakeTest<InvalidPointerToDereferenceTest>
|
||||
834
cpp/ql/test/query-tests/Security/CWE/CWE-193/test.cpp
Normal file
834
cpp/ql/test/query-tests/Security/CWE/CWE-193/test.cpp
Normal file
@@ -0,0 +1,834 @@
|
||||
char *malloc(int size);
|
||||
|
||||
void test1(int size) {
|
||||
char* p = malloc(size);
|
||||
char* q = p + size; // $ alloc=L4
|
||||
char a = *q; // $ deref=L6 // BAD
|
||||
char b = *(q - 1); // GOOD
|
||||
char c = *(q + 1); // $ deref=L8+1 // BAD
|
||||
char d = *(q + size); // BAD [NOT DETECTED]
|
||||
char e = *(q - size); // GOOD
|
||||
char f = *(q + size + 1); // BAD [NOT DETECTED]
|
||||
char g = *(q - size - 1); // GOOD
|
||||
}
|
||||
|
||||
void test2(int size) {
|
||||
char* p = malloc(size);
|
||||
char* q = p + size - 1; // $ alloc=L16
|
||||
char a = *q; // GOOD
|
||||
char b = *(q - 1); // GOOD
|
||||
char c = *(q + 1); // $ deref=L20 // BAD
|
||||
char d = *(q + size); // BAD [NOT DETECTED]
|
||||
char e = *(q - size); // GOOD
|
||||
char f = *(q + size + 1); // BAD [NOT DETECTED]
|
||||
char g = *(q - size - 1); // GOOD
|
||||
}
|
||||
|
||||
void test3(int size) {
|
||||
char* p = malloc(size + 1);
|
||||
char* q = p + (size + 1); // $ alloc=L28+1
|
||||
char a = *q; // $ deref=L30 // BAD
|
||||
char b = *(q - 1); // GOOD
|
||||
char c = *(q + 1); // $ deref=L32+1 // BAD
|
||||
char d = *(q + size); // BAD [NOT DETECTED]
|
||||
char e = *(q - size); // GOOD
|
||||
char f = *(q + size + 1); // BAD [NOT DETECTED]
|
||||
char g = *(q - size - 1); // GOOD
|
||||
}
|
||||
|
||||
void test4(int size) {
|
||||
char* p = malloc(size - 1);
|
||||
char* q = p + (size - 1); // $ alloc=L40-1
|
||||
char a = *q; // $ deref=L42 // BAD
|
||||
char b = *(q - 1); // GOOD
|
||||
char c = *(q + 1); // $ deref=L44+1 // BAD
|
||||
char d = *(q + size); // BAD [NOT DETECTED]
|
||||
char e = *(q - size); // GOOD
|
||||
char f = *(q + size + 1); // BAD [NOT DETECTED]
|
||||
char g = *(q - size - 1); // GOOD
|
||||
}
|
||||
|
||||
char* mk_array(int size, char** end) {
|
||||
char* begin = malloc(size);
|
||||
*end = begin + size; // $ alloc=L52
|
||||
|
||||
return begin;
|
||||
}
|
||||
|
||||
void test5(int size) {
|
||||
char* end;
|
||||
char* begin = mk_array(size, &end);
|
||||
|
||||
for (char* p = begin; p != end; ++p) {
|
||||
*p = 0; // GOOD
|
||||
}
|
||||
|
||||
for (char* p = begin; p <= end; ++p) {
|
||||
*p = 0; // $ deref=L53->L62->L67 deref=L53->L66->L67 // BAD
|
||||
}
|
||||
|
||||
for (char* p = begin; p < end; ++p) {
|
||||
*p = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
struct array_t {
|
||||
char* begin;
|
||||
char* end;
|
||||
};
|
||||
|
||||
array_t mk_array(int size) {
|
||||
array_t arr;
|
||||
arr.begin = malloc(size);
|
||||
arr.end = arr.begin + size; // $ MISSING: alloc=L82
|
||||
|
||||
return arr;
|
||||
}
|
||||
|
||||
void test6(int size) {
|
||||
array_t arr = mk_array(size);
|
||||
|
||||
for (char* p = arr.begin; p != arr.end; ++p) {
|
||||
*p = 0; // GOOD
|
||||
}
|
||||
|
||||
for (char* p = arr.begin; p <= arr.end; ++p) {
|
||||
*p = 0; // $ MISSING: deref=L83->L91->L96 deref=L83->L95->L96 // BAD [NOT DETECTED]
|
||||
}
|
||||
|
||||
for (char* p = arr.begin; p < arr.end; ++p) {
|
||||
*p = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test7_callee(array_t arr) {
|
||||
for (char* p = arr.begin; p != arr.end; ++p) {
|
||||
*p = 0; // GOOD
|
||||
}
|
||||
|
||||
for (char* p = arr.begin; p <= arr.end; ++p) {
|
||||
*p = 0; // $ MISSING: deref=L83->L105->L110 deref=L83->L109->L110 // BAD [NOT DETECTED]
|
||||
}
|
||||
|
||||
for (char* p = arr.begin; p < arr.end; ++p) {
|
||||
*p = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test7(int size) {
|
||||
test7_callee(mk_array(size));
|
||||
}
|
||||
|
||||
void test8(int size) {
|
||||
array_t arr;
|
||||
char* p = malloc(size);
|
||||
arr.begin = p;
|
||||
arr.end = p + size; // $ alloc=L124
|
||||
|
||||
for (int i = 0; i < arr.end - arr.begin; i++) {
|
||||
*(arr.begin + i) = 0; // GOOD
|
||||
}
|
||||
|
||||
for (int i = 0; i != arr.end - arr.begin; i++) {
|
||||
*(arr.begin + i) = 0; // GOOD
|
||||
}
|
||||
|
||||
for (int i = 0; i <= arr.end - arr.begin; i++) {
|
||||
*(arr.begin + i) = 0; // BAD [NOT DETECTED]
|
||||
}
|
||||
}
|
||||
|
||||
array_t *mk_array_p(int size) {
|
||||
array_t *arr = (array_t*) malloc(sizeof(array_t));
|
||||
arr->begin = malloc(size);
|
||||
arr->end = arr->begin + size; // $ MISSING: alloc=L143
|
||||
|
||||
return arr;
|
||||
}
|
||||
|
||||
void test9(int size) {
|
||||
array_t *arr = mk_array_p(size);
|
||||
|
||||
for (char* p = arr->begin; p != arr->end; ++p) {
|
||||
*p = 0; // GOOD
|
||||
}
|
||||
|
||||
for (char* p = arr->begin; p <= arr->end; ++p) {
|
||||
*p = 0; // $ MISSING: deref=L144->L156->L157 // BAD [NOT DETECTED]
|
||||
}
|
||||
|
||||
for (char* p = arr->begin; p < arr->end; ++p) {
|
||||
*p = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test10_callee(array_t *arr) {
|
||||
for (char* p = arr->begin; p != arr->end; ++p) {
|
||||
*p = 0; // GOOD
|
||||
}
|
||||
|
||||
for (char* p = arr->begin; p <= arr->end; ++p) {
|
||||
*p = 0; // $ MISSING: deref=L144->L166->L171 deref=L144->L170->L171 // BAD [NOT DETECTED]
|
||||
}
|
||||
|
||||
for (char* p = arr->begin; p < arr->end; ++p) {
|
||||
*p = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test10(int size) {
|
||||
test10_callee(mk_array_p(size));
|
||||
}
|
||||
|
||||
void deref_plus_one(char* q) {
|
||||
char a = *(q + 1); // BAD [NOT DETECTED]
|
||||
}
|
||||
|
||||
void test11(unsigned size) {
|
||||
char *p = malloc(size);
|
||||
char *q = p + size - 1; // $ alloc=L188
|
||||
deref_plus_one(q);
|
||||
}
|
||||
|
||||
void test12(unsigned len, unsigned index) {
|
||||
char* p = (char *)malloc(len);
|
||||
char* end = p + len; // $ alloc=L194
|
||||
|
||||
if(p + index > end) {
|
||||
return;
|
||||
}
|
||||
|
||||
p[index] = '\0'; // $ deref=L201 // BAD
|
||||
}
|
||||
|
||||
void test13(unsigned len, unsigned index) {
|
||||
char* p = (char *)malloc(len);
|
||||
char* end = p + len; // $ alloc=L205
|
||||
|
||||
char* q = p + index;
|
||||
if(q > end) {
|
||||
return;
|
||||
}
|
||||
|
||||
*q = '\0'; // $ deref=L213 // BAD
|
||||
}
|
||||
|
||||
bool unknown();
|
||||
|
||||
void test14(unsigned long n, char *p) {
|
||||
while (unknown()) {
|
||||
n++;
|
||||
p = (char *)malloc(n);
|
||||
p[n - 1] = 'a'; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test15(unsigned index) {
|
||||
unsigned size = index + 13;
|
||||
if(size < index) {
|
||||
return;
|
||||
}
|
||||
int* newname = new int[size];
|
||||
newname[index] = 0; // $ alloc=L231 deref=L232 // GOOD [FALSE POSITIVE]
|
||||
}
|
||||
|
||||
void test16(unsigned index) {
|
||||
unsigned size = index + 13;
|
||||
if(size >= index) {
|
||||
int* newname = new int[size];
|
||||
newname[index] = 0; // $ alloc=L238 deref=L239 // GOOD [FALSE POSITIVE]
|
||||
}
|
||||
}
|
||||
|
||||
void *realloc(void *, unsigned);
|
||||
|
||||
void test17(unsigned *p, unsigned x, unsigned k) {
|
||||
if(k > 0 && p[1] <= p[0]){
|
||||
unsigned n = 3*p[0] + k;
|
||||
p = (unsigned*)realloc(p, n);
|
||||
p[0] = n;
|
||||
unsigned i = p[1];
|
||||
// The following access is okay because:
|
||||
// n = 3*p[0] + k >= p[0] + k >= p[1] + k > p[1] = i
|
||||
// (where p[0] denotes the original value for p[0])
|
||||
p[i] = x; // $ alloc=L248 deref=L254 // GOOD [FALSE POSITIVE]
|
||||
}
|
||||
}
|
||||
|
||||
void test17(unsigned len)
|
||||
{
|
||||
int *xs = new int[len];
|
||||
int *end = xs + len; // $ alloc=L260
|
||||
for (int *x = xs; x <= end; x++)
|
||||
{
|
||||
int i = *x; // $ deref=L264 // BAD
|
||||
}
|
||||
}
|
||||
|
||||
void test18(unsigned len)
|
||||
{
|
||||
int *xs = new int[len];
|
||||
int *end = xs + len; // $ alloc=L270
|
||||
for (int *x = xs; x <= end; x++)
|
||||
{
|
||||
*x = 0; // $ deref=L274 // BAD
|
||||
}
|
||||
}
|
||||
|
||||
void test19(unsigned len)
|
||||
{
|
||||
int *xs = new int[len];
|
||||
int *end = xs + len; // $ alloc=L280
|
||||
for (int *x = xs; x < end; x++)
|
||||
{
|
||||
int i = *x; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test20(unsigned len)
|
||||
{
|
||||
int *xs = new int[len];
|
||||
int *end = xs + len; // $ alloc=L290
|
||||
for (int *x = xs; x < end; x++)
|
||||
{
|
||||
*x = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void* test21_get(int n);
|
||||
|
||||
void test21() {
|
||||
int n = 0;
|
||||
while (test21_get(n)) n+=2;
|
||||
|
||||
void** xs = new void*[n];
|
||||
|
||||
for (int i = 0; i < n; i += 2) {
|
||||
xs[i] = test21_get(i); // GOOD
|
||||
xs[i+1] = test21_get(i+1); // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test22(unsigned size, int val) {
|
||||
char *xs = new char[size];
|
||||
char *end = xs + size; // $ alloc=L313 // GOOD
|
||||
char **current = &end;
|
||||
do {
|
||||
if (*current - xs < 1) // GOOD
|
||||
return;
|
||||
*--(*current) = 0; // GOOD
|
||||
val >>= 8;
|
||||
} while (val > 0);
|
||||
}
|
||||
|
||||
void test23(unsigned size, int val) {
|
||||
char *xs = new char[size];
|
||||
char *end = xs + size; // $ alloc=L325
|
||||
char **current = &end;
|
||||
|
||||
if (val < 1) {
|
||||
if(*current - xs < 1)
|
||||
return;
|
||||
|
||||
*--(*current) = 0; // GOOD
|
||||
return;
|
||||
}
|
||||
|
||||
if (val < 2) {
|
||||
if(*current - xs < 2)
|
||||
return;
|
||||
|
||||
*--(*current) = 0; // GOOD
|
||||
*--(*current) = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test24(unsigned size) {
|
||||
char *xs = new char[size];
|
||||
char *end = xs + size; // $ alloc=L347
|
||||
if (xs < end) {
|
||||
int val = *xs++; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test25(unsigned size) {
|
||||
char *xs = new char[size];
|
||||
char *end = xs + size; // $ alloc=L355
|
||||
char *end_plus_one = end + 1;
|
||||
int val1 = *end_plus_one; // $ deref=L358+1 // BAD
|
||||
int val2 = *(end_plus_one + 1); // $ deref=L359+2 // BAD
|
||||
}
|
||||
|
||||
void test26(unsigned size) {
|
||||
char *xs = new char[size];
|
||||
char *p = xs;
|
||||
char *end = p + size; // $ alloc=L363
|
||||
|
||||
if (p + 4 <= end) {
|
||||
p += 4;
|
||||
}
|
||||
|
||||
if (p < end) {
|
||||
int val = *p; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test27(unsigned size, bool b) {
|
||||
char *xs = new char[size];
|
||||
char *end = xs + size; // $ alloc=L377
|
||||
|
||||
if (b) {
|
||||
end++;
|
||||
}
|
||||
|
||||
int val = *end; // $ deref=L384+1 // BAD
|
||||
}
|
||||
|
||||
void test28(unsigned size) {
|
||||
char *xs = new char[size];
|
||||
char *end = &xs[size]; // $ alloc=L388
|
||||
if (xs >= end)
|
||||
return;
|
||||
xs++;
|
||||
if (xs >= end)
|
||||
return;
|
||||
xs[0] = 0; // GOOD
|
||||
}
|
||||
|
||||
void test28_simple(unsigned size) {
|
||||
char *xs = new char[size];
|
||||
char *end = &xs[size]; // $ alloc=L399
|
||||
if (xs < end) {
|
||||
xs++;
|
||||
if (xs < end) {
|
||||
xs[0] = 0; // GOOD
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void test28_simple2(unsigned size) {
|
||||
char *xs = new char[size];
|
||||
char *end = &xs[size]; // $ alloc=L410
|
||||
if (xs < end) {
|
||||
xs++;
|
||||
if (xs < end + 1) {
|
||||
xs[0] = 0; // $ deref=L415 // BAD
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void test28_simple3(unsigned size) {
|
||||
char *xs = new char[size];
|
||||
char *end = &xs[size]; // $ alloc=L421
|
||||
if (xs < end) {
|
||||
xs++;
|
||||
if (xs - 1 < end) {
|
||||
xs[0] = 0; // $ deref=L426 // BAD
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void test28_simple4(unsigned size) {
|
||||
char *xs = new char[size];
|
||||
char *end = &xs[size]; // $ alloc=L432
|
||||
if (xs < end) {
|
||||
end++;
|
||||
xs++;
|
||||
if (xs < end) {
|
||||
xs[0] = 0; // $ deref=L438 // BAD
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void test28_simple5(unsigned size) {
|
||||
char *xs = new char[size];
|
||||
char *end = &xs[size]; // $ alloc=L444
|
||||
end++;
|
||||
if (xs < end) {
|
||||
xs++;
|
||||
if (xs < end) {
|
||||
xs[0] = 0; // $ deref=L450 // BAD
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void test28_simple6(unsigned size) {
|
||||
char *xs = new char[size + 1];
|
||||
char *end = &xs[size];
|
||||
end++;
|
||||
if (xs < end) {
|
||||
xs++;
|
||||
if (xs < end) {
|
||||
xs[0] = 0; // GOOD
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void test28_simple7(unsigned size) {
|
||||
char *xs = new char[size];
|
||||
char *end = &xs[size]; // $ alloc=L468
|
||||
end++;
|
||||
if (xs < end) {
|
||||
xs++;
|
||||
if (xs < end - 1) {
|
||||
xs[0] = 0; // GOOD
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void test28_simple8(unsigned size) {
|
||||
char *xs = new char[size];
|
||||
char *end = &xs[size]; // $ alloc=L480
|
||||
end += 500;
|
||||
if (xs < end) {
|
||||
xs++;
|
||||
if (xs < end - 1) {
|
||||
xs[0] = 0; // $ deref=L486+498 // BAD
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
struct test29_struct {
|
||||
char* xs;
|
||||
};
|
||||
|
||||
void test29(unsigned size) {
|
||||
test29_struct val;
|
||||
val.xs = new char[size];
|
||||
size++;
|
||||
val.xs = new char[size];
|
||||
val.xs[size - 1] = 0; // GOOD
|
||||
}
|
||||
|
||||
void test30(int *size)
|
||||
{
|
||||
int new_size = 0, tmp_size = 0;
|
||||
|
||||
test30(&tmp_size);
|
||||
if (tmp_size + 1 > new_size) {
|
||||
new_size = tmp_size + 1;
|
||||
char *xs = new char[new_size];
|
||||
for (int i = 0; i < new_size; i++) {
|
||||
xs[i] = 0; // GOOD
|
||||
}
|
||||
}
|
||||
*size = new_size;
|
||||
}
|
||||
|
||||
void test31(unsigned size, unsigned src_pos)
|
||||
{
|
||||
char *xs = new char[size];
|
||||
if (src_pos > size) {
|
||||
src_pos = size;
|
||||
}
|
||||
unsigned dst_pos = src_pos;
|
||||
if (dst_pos < size - 3) {
|
||||
xs[dst_pos++] = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test31_simple1(unsigned size, unsigned src_pos)
|
||||
{
|
||||
char *xs = new char[size];
|
||||
if (src_pos > size) {
|
||||
src_pos = size;
|
||||
}
|
||||
if (src_pos < size) {
|
||||
xs[src_pos] = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test31_simple2(unsigned size, unsigned src_pos)
|
||||
{
|
||||
char *xs = new char[size];
|
||||
if (src_pos > size) {
|
||||
src_pos = size;
|
||||
}
|
||||
if (src_pos < size + 1) {
|
||||
xs[src_pos] = 0; // $ alloc=L543 deref=L548 // BAD
|
||||
}
|
||||
}
|
||||
|
||||
void test31_simple3(unsigned size, unsigned src_pos)
|
||||
{
|
||||
char *xs = new char[size];
|
||||
if (src_pos > size) {
|
||||
src_pos = size;
|
||||
}
|
||||
if (src_pos - 1 < size) {
|
||||
xs[src_pos] = 0; // $ alloc=L554 deref=L559 // BAD
|
||||
}
|
||||
}
|
||||
|
||||
void test31_simple4(unsigned size, unsigned src_pos)
|
||||
{
|
||||
char *xs = new char[size];
|
||||
if (src_pos > size) {
|
||||
src_pos = size;
|
||||
}
|
||||
if (src_pos < size - 1) {
|
||||
xs[src_pos] = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test31_simple5(unsigned size, unsigned src_pos)
|
||||
{
|
||||
char *xs = new char[size];
|
||||
if (src_pos > size) {
|
||||
src_pos = size;
|
||||
}
|
||||
if (src_pos + 1 < size) {
|
||||
xs[src_pos] = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test31_simple1_plus1(unsigned size, unsigned src_pos)
|
||||
{
|
||||
char *xs = new char[size + 1];
|
||||
if (src_pos > size) {
|
||||
src_pos = size;
|
||||
}
|
||||
if (src_pos < size) {
|
||||
xs[src_pos] = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test31_simple2_plus1(unsigned size, unsigned src_pos)
|
||||
{
|
||||
char *xs = new char[size + 1];
|
||||
if (src_pos > size) {
|
||||
src_pos = size;
|
||||
}
|
||||
if (src_pos < size + 1) {
|
||||
xs[src_pos] = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test31_simple3_plus1(unsigned size, unsigned src_pos)
|
||||
{
|
||||
char *xs = new char[size + 1];
|
||||
if (src_pos > size) {
|
||||
src_pos = size;
|
||||
}
|
||||
if (src_pos - 1 < size) {
|
||||
xs[src_pos] = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test31_simple4_plus1(unsigned size, unsigned src_pos)
|
||||
{
|
||||
char *xs = new char[size + 1];
|
||||
if (src_pos > size) {
|
||||
src_pos = size;
|
||||
}
|
||||
if (src_pos < size - 1) {
|
||||
xs[src_pos] = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test31_simple5_plus1(unsigned size, unsigned src_pos)
|
||||
{
|
||||
char *xs = new char[size + 1];
|
||||
if (src_pos > size) {
|
||||
src_pos = size;
|
||||
}
|
||||
if (src_pos + 1 < size) {
|
||||
xs[src_pos] = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test31_simple1_sub1(unsigned size, unsigned src_pos)
|
||||
{
|
||||
char *xs = new char[size - 1];
|
||||
if (src_pos > size) {
|
||||
src_pos = size;
|
||||
}
|
||||
if (src_pos < size) {
|
||||
xs[src_pos] = 0; // $ alloc=L642-1 deref=L647 // BAD
|
||||
}
|
||||
}
|
||||
|
||||
void test32(unsigned size) {
|
||||
char *xs = new char[size];
|
||||
char *end = &xs[size]; // $ alloc=L652
|
||||
if (xs >= end)
|
||||
return;
|
||||
xs++;
|
||||
if (xs >= end)
|
||||
return;
|
||||
xs++;
|
||||
if (xs >= end)
|
||||
return;
|
||||
xs[0] = 0; // GOOD
|
||||
}
|
||||
|
||||
void test33(unsigned size, unsigned src_pos)
|
||||
{
|
||||
char *xs = new char[size + 1];
|
||||
if (src_pos > size) {
|
||||
src_pos = size;
|
||||
}
|
||||
unsigned dst_pos = src_pos;
|
||||
while (dst_pos < size - 1) {
|
||||
dst_pos++;
|
||||
if (true)
|
||||
xs[dst_pos++] = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
int* pointer_arithmetic(int *p, int offset) {
|
||||
return p + offset; // $ alloc=L684
|
||||
}
|
||||
|
||||
void test_missing_call_context_1(unsigned size) {
|
||||
int* p = new int[size];
|
||||
int* end = pointer_arithmetic(p, size);
|
||||
}
|
||||
|
||||
void test_missing_call_context_2(unsigned size) {
|
||||
int* p = new int[size];
|
||||
int* end_minus_one = pointer_arithmetic(p, size - 1);
|
||||
*end_minus_one = '0'; // $ deref=L680->L690->L691 // GOOD
|
||||
}
|
||||
|
||||
void test34(unsigned size) {
|
||||
char *p = new char[size];
|
||||
char *end = p + size + 1; // $ alloc=L695
|
||||
if (p + 1 < end) {
|
||||
p += 1;
|
||||
}
|
||||
if (p + 1 < end) {
|
||||
int val = *p; // $ deref=L698->L700->L701 // GOOD [FALSE POSITIVE]
|
||||
}
|
||||
}
|
||||
|
||||
void deref(char* q) {
|
||||
char x = *q; // $ deref=L714->L705->L706 // BAD
|
||||
}
|
||||
|
||||
void test35(unsigned long size, char* q)
|
||||
{
|
||||
char* p = new char[size];
|
||||
char* end = p + size; // $ alloc=L711
|
||||
if(q <= end) {
|
||||
deref(q);
|
||||
}
|
||||
}
|
||||
|
||||
void test21_simple(bool b) {
|
||||
int n = 0;
|
||||
if (b) n = 2;
|
||||
|
||||
int* xs = new int[n];
|
||||
|
||||
for (int i = 0; i < n; i += 2) {
|
||||
xs[i+1] = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test36(unsigned size, unsigned n) {
|
||||
int* p = new int[size + 2];
|
||||
if(n < size + 1) {
|
||||
int* end = p + (n + 2); // $ alloc=L730+2
|
||||
*end = 0; // $ deref=L733 // BAD
|
||||
}
|
||||
}
|
||||
|
||||
void test37(unsigned long n)
|
||||
{
|
||||
int *p = new int[n];
|
||||
for (unsigned long i = n; i != 0u; i--)
|
||||
{
|
||||
p[n - i] = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
unsigned get(char);
|
||||
void exit(int);
|
||||
|
||||
void error(const char * msg) {
|
||||
exit(1);
|
||||
}
|
||||
|
||||
void test38(unsigned size) {
|
||||
char * alloc = new char[size];
|
||||
|
||||
unsigned pos = 0;
|
||||
while (pos < size) {
|
||||
char kind = alloc[pos];
|
||||
unsigned n = get(alloc[pos]);
|
||||
if (pos + n >= size) {
|
||||
error("");
|
||||
}
|
||||
switch (kind) {
|
||||
case '0':
|
||||
if (n != 1)
|
||||
error("");
|
||||
char x = alloc[pos + 1]; // $ alloc=L754 deref=L767 // GOOD [FALSE POSITIVE]
|
||||
break;
|
||||
case '1':
|
||||
if (n != 2)
|
||||
error("");
|
||||
char a = alloc[pos + 1]; // $ alloc=L754 deref=L772 // GOOD [FALSE POSITIVE]
|
||||
char b = alloc[pos + 2];
|
||||
break;
|
||||
}
|
||||
pos += 1 + n;
|
||||
}
|
||||
}
|
||||
|
||||
void test38_simple(unsigned size, unsigned pos, unsigned numParams) {
|
||||
char * p = new char[size];
|
||||
|
||||
if (pos < size) {
|
||||
if (pos + numParams < size) {
|
||||
if (numParams == 1) {
|
||||
char x = p[pos + 1]; // $ alloc=L781 deref=L786 // GOOD [FALSE POSITIVE]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void mk_array_no_field_flow(int size, char** begin, char** end) {
|
||||
*begin = malloc(size);
|
||||
*end = *begin + size; // $ alloc=L793
|
||||
}
|
||||
|
||||
void test6_no_field_flow(int size) {
|
||||
char* begin;
|
||||
char* end;
|
||||
mk_array_no_field_flow(size, &begin, &end);
|
||||
|
||||
for (char* p = begin; p != end; ++p) {
|
||||
*p = 0; // GOOD
|
||||
}
|
||||
|
||||
for (char* p = begin; p <= end; ++p) {
|
||||
*p = 0; // $ deref=L794->L802->L807 deref=L794->L806->L807 // BAD
|
||||
}
|
||||
|
||||
for (char* p = begin; p < end; ++p) {
|
||||
*p = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test7_callee_no_field_flow(char* begin, char* end) {
|
||||
for (char* p = begin; p != end; ++p) {
|
||||
*p = 0; // GOOD
|
||||
}
|
||||
|
||||
for (char* p = begin; p <= end; ++p) {
|
||||
*p = 0; // $ deref=L794->L815->L821 deref=L794->L816->L821 deref=L794->L820->L821 // BAD
|
||||
}
|
||||
|
||||
for (char* p = begin; p < end; ++p) {
|
||||
*p = 0; // GOOD
|
||||
}
|
||||
}
|
||||
|
||||
void test7_no_field_flow(int size) {
|
||||
char* begin;
|
||||
char* end;
|
||||
mk_array_no_field_flow(size, &begin, &end);
|
||||
test7_callee_no_field_flow(begin, end);
|
||||
}
|
||||
Reference in New Issue
Block a user