Merge pull request #2003 from geoffw0/formatarg

CPP: WrongTypeFormatArguments.ql Fix
2026-04-30 19:26:02 +02:00 · 2019-11-11 16:07:37 +01:00
parent d9bdb2cd4e d434f909a5
commit f2a9876c2a
6 changed files with 82 additions and 9 deletions
--- a/cpp/ql/src/semmle/code/cpp/commons/Printf.qll
+++ b/cpp/ql/src/semmle/code/cpp/commons/Printf.qll
@@ -8,25 +8,32 @@ import semmle.code.cpp.commons.StringAnalysis
 import semmle.code.cpp.models.interfaces.FormattingFunction
 import semmle.code.cpp.models.implementations.Printf

+class PrintfFormatAttribute extends FormatAttribute {
+  PrintfFormatAttribute() {
+    getArchetype() = "printf" or
+    getArchetype() = "__printf__"
+  }
+}
+
 /**
 * A function that can be identified as a `printf` style formatting
 * function by its use of the GNU `format` attribute.
 */
 class AttributeFormattingFunction extends FormattingFunction {
-  FormatAttribute printf_attrib;
-
  override string getCanonicalQLClass() { result = "AttributeFormattingFunction" }

  AttributeFormattingFunction() {
-    printf_attrib = getAnAttribute() and
-    (
-      printf_attrib.getArchetype() = "printf" or
-      printf_attrib.getArchetype() = "__printf__"
-    ) and
-    exists(printf_attrib.getFirstFormatArgIndex()) // exclude `vprintf` style format functions
+    exists(PrintfFormatAttribute printf_attrib |
+      printf_attrib = getAnAttribute() and
+      exists(printf_attrib.getFirstFormatArgIndex()) // exclude `vprintf` style format functions
+    )
  }

-  override int getFormatParameterIndex() { result = printf_attrib.getFormatIndex() }
+  override int getFormatParameterIndex() {
+    forex(PrintfFormatAttribute printf_attrib | printf_attrib = getAnAttribute() |
+      result = printf_attrib.getFormatIndex()
+    )
+  }
 }

 /**
--- a/Bugs/Format/NonConstantFormat/a.c
+++ b/Bugs/Format/NonConstantFormat/a.c
@@ -0,0 +1,19 @@
+
+__attribute__((format(printf, 1, 3)))
+void myMultiplyDefinedPrintf(const char *format, const char *extraArg, ...)
+{
+	// ...
+}
+
+__attribute__((format(printf, 1, 3)))
+void myMultiplyDefinedPrintf2(const char *format, const char *extraArg, ...);
+
+char *getString();
+
+void test_custom_printf1()
+{
+  myMultiplyDefinedPrintf("string", getString()); // GOOD
+  myMultiplyDefinedPrintf(getString(), "string"); // BAD [NOT DETECTED]
+  myMultiplyDefinedPrintf2("string", getString()); // GOOD (we can't tell which declaration is correct so we have to assume this is OK)
+  myMultiplyDefinedPrintf2(getString(), "string"); // GOOD (we can't tell which declaration is correct so we have to assume this is OK)
+}
--- a/Bugs/Format/NonConstantFormat/b.c
+++ b/Bugs/Format/NonConstantFormat/b.c
@@ -0,0 +1,16 @@
+
+__attribute__((format(printf, 2, 3)))
+void myMultiplyDefinedPrintf(const char *extraArg, const char *format, ...); // this declaration does not match the definition
+
+__attribute__((format(printf, 2, 3)))
+void myMultiplyDefinedPrintf2(const char *extraArg, const char *format, ...);
+
+char *getString();
+
+void test_custom_printf2(char *string)
+{
+  myMultiplyDefinedPrintf("string", getString()); // GOOD
+  myMultiplyDefinedPrintf(getString(), "string"); // BAD [NOT DETECTED]
+  myMultiplyDefinedPrintf2("string", getString()); // GOOD (we can't tell which declaration is correct so we have to assume this is OK)
+  myMultiplyDefinedPrintf2(getString(), "string"); // GOOD (we can't tell which declaration is correct so we have to assume this is OK)
+}
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/a.c
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/a.c
@@ -0,0 +1,16 @@
+
+__attribute__((format(printf, 1, 3)))
+void myMultiplyDefinedPrintf(const char *format, const char *extraArg, ...)
+{
+	// ...
+}
+__attribute__((format(printf, 1, 3)))
+void myMultiplyDefinedPrintf2(const char *format, const char *extraArg, ...);
+
+void test_custom_printf1()
+{
+  myMultiplyDefinedPrintf("%i", "%f", 1); // GOOD
+  myMultiplyDefinedPrintf("%i", "%f", 1.0f); // BAD [NOT DETECTED]
+  myMultiplyDefinedPrintf2("%i", "%f", 1); // GOOD (we can't tell which declaration is correct so we have to assume this is OK)
+  myMultiplyDefinedPrintf2("%i", "%f", 1.0f); // GOOD (we can't tell which declaration is correct so we have to assume this is OK)
+}
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/b.c
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/b.c
@@ -0,0 +1,14 @@
+
+__attribute__((format(printf, 2, 3)))
+void myMultiplyDefinedPrintf(const char *extraArg, const char *format, ...); // this declaration does not match the definition
+
+__attribute__((format(printf, 2, 3)))
+void myMultiplyDefinedPrintf2(const char *extraArg, const char *format, ...);
+
+void test_custom_printf2()
+{
+  myMultiplyDefinedPrintf("%i", "%f", 1); // GOOD
+  myMultiplyDefinedPrintf("%i", "%f", 1.0f); // BAD [NOT DETECTED]
+  myMultiplyDefinedPrintf2("%i", "%f", 1); // GOOD (we can't tell which declaration is correct so we have to assume this is OK)
+  myMultiplyDefinedPrintf2("%i", "%f", 1.0f); // GOOD (we can't tell which declaration is correct so we have to assume this is OK)
+}