hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

CPP: Add local dataflow to (one bit of) OverflowStatic.ql.

Browse Source
This commit is contained in:
Geoffrey White
2018-11-21 18:30:24 +00:00
parent 01ba635e1d
commit ea56a5d9ce
3 changed files with 18 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
cpp/ql/src/Critical/OverflowStatic.ql
View File

@@ -82,22 +82,31 @@ class CallWithBufferSize extends FunctionCall
Expr buffer() {
exists(int i |
bufferAndSizeFunction(this.getTarget(), i, _) and
result = this.getArgument(i))
result = this.getArgument(i)
)
}
Expr statedSize() {
Expr statedSizeExpr() {
exists(int i |
bufferAndSizeFunction(this.getTarget(), _, i) and
result = this.getArgument(i))
result = this.getArgument(i)
)
}
int statedSizeValue() {
exists(Expr statedSizeSrc |
DataFlow::localFlowStep*(DataFlow::exprNode(statedSizeSrc), DataFlow::exprNode(statedSizeExpr())) and
result = statedSizeSrc.getValue().toInt()
)
}
}
predicate wrongBufferSize(Expr error, string msg) {
exists(CallWithBufferSize call, int bufsize, Variable buf |
exists(CallWithBufferSize call, int bufsize, Variable buf, int statedSize |
staticBuffer(call.buffer(), buf, bufsize) and
call.statedSize().getValue().toInt() > bufsize and
error = call.statedSize() and
statedSize = call.statedSizeValue() and
statedSize > bufsize and
error = call.statedSizeExpr() and
msg = "Potential buffer-overflow: '" + buf.getName() +
"' has size " + bufsize.toString() + " not " + call.statedSize().getValue() + ".")
"' has size " + bufsize.toString() + " not " + statedSize + ".")
}
predicate outOfBounds(BufferAccess bufaccess, string msg)

1
cpp/ql/test/query-tests/Critical/OverflowStatic/OverflowStatic.expected
View File

@@ -6,3 +6,4 @@
| test.cpp:20:3:20:12 | access to array | Potential buffer-overflow: counter 'i' <= 3 but 'buffer2' has 3 elements. |
| test.cpp:24:27:24:27 | 4 | Potential buffer-overflow: 'buffer1' has size 3 not 4. |
| test.cpp:26:27:26:27 | 4 | Potential buffer-overflow: 'buffer2' has size 3 not 4. |
| test.cpp:40:22:40:27 | amount | Potential buffer-overflow: 'buffer' has size 100 not 101. |

2
cpp/ql/test/query-tests/Critical/OverflowStatic/test.cpp
View File

@@ -37,7 +37,7 @@ void f2(char *src)
amount = amount + 1;
memcpy(buffer, src, amount); // BAD [NOT DETECTED]
amount = 101;
memcpy(buffer, src, amount); // BAD [NOT DETECTED]
memcpy(buffer, src, amount); // BAD
ptr = buffer;
memcpy(ptr, src, 101); // BAD [NOT DETECTED]