hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 02:44:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
remove-javascript
codeql/cpp/ql/test/query-tests/Likely Bugs/Format/SnprintfOverflow/test.cpp
Jonas Jensen 01fc721497 C++: Fixup test annotation
2019-04-10 09:28:06 +02:00

118 lines
2.2 KiB
C++
Raw Permalink Blame History

typedef unsigned int size_t;
int snprintf(char *s, size_t n, const char *format, ...);
class queue
{
public:
queue();
~queue();
bool has_number();
int get_number();
private:
// ...
};
void test1(queue &numbers)
{
char buffer[100];
int pos = 0;
while (numbers.has_number())
{
pos += snprintf(&(buffer[pos]), 100 - pos, "%i, ", numbers.get_number()); // BAD
}
}
void test2(queue &numbers)
{
char buffer[100];
int pos = 0;
while ((numbers.has_number()) && (pos < 100))
{
pos += snprintf(&(buffer[pos]), 100 - pos, "%i, ", numbers.get_number()); // GOOD
}
}
void test3(queue &numbers)
{
char buffer[100];
int pos = 0;
while (numbers.has_number())
{
pos += snprintf(&(buffer[pos]), 100 - pos, "%i, ", numbers.get_number()); // GOOD
if (pos > 100)
{
pos = 100;
}
}
}
void test4(queue &numbers)
{
char buffer[100], *ptr;
size_t amount, remaining;
while (numbers.has_number())
{
amount = snprintf(ptr, remaining, "%i, ", numbers.get_number()); // BAD
ptr += amount;
remaining -= amount;
}
}
void test5(queue &numbers)
{
char buffer[100];
char *ptr = buffer;
char *end = &(buffer[100]);
while (numbers.has_number())
{
ptr += snprintf(ptr, end - ptr, "%i, ", numbers.get_number()); // BAD
}
}
void test6(const char *sa, const char *sb)
{
char buffer[100];
int pos = 0;
pos = snprintf(buffer, 100, "'%s', ", sa);
pos += snprintf(&(buffer[pos]), 100 - pos, "'%s'.", sb); // BAD [NOT DETECTED]
}
size_t strlen(const char *str);
typedef size_t rsize_t;
int snprintf_s(char * /*restrict*/ s, rsize_t n, const char * /*restrict*/ format, ...);
void test7(const char *strings) // separated by \0, terminated by \0\0
{
char buffer[256];
int pos = 0;
while (*strings != 0)
{
pos += snprintf_s(buffer + pos, sizeof(buffer) - pos, "%s\n", strings); // BAD
// (note that the protections built into `snprintf_s` appear to mean this is less likely
// to be exploitable than with `snprintf`)
strings += strlen(strings) + 1;
}
}
void concat_strings(char *buf, size_t buf_len, const char **strings, size_t n_strings) {
while (n_strings > 0) {
int ret = snprintf(buf, buf_len, "%s", *strings); // GOOD
if (ret > buf_len)
return;
buf_len -= ret;
buf += ret;
n_strings--;
strings++;
}
}
Reference in New Issue View Git Blame Copy Permalink