mirror of
https://github.com/github/codeql.git
synced 2025-12-27 14:16:34 +01:00
41 lines
1.4 KiB
XML
41 lines
1.4 KiB
XML
<!DOCTYPE qhelp PUBLIC
|
|
"-//Semmle//qhelp//EN"
|
|
"qhelp.dtd">
|
|
<qhelp>
|
|
|
|
|
|
<overview>
|
|
<p>
|
|
This query finds pointer arithmetic expressions that use a value returned from a function without checking that the value is positive.
|
|
Most pointer arithmetic and almost all array element accesses use a positive value for offsets. A negative value is likely to be
|
|
a defect in the returning function. Checking pointer offsets (particularly if they derive from user input) is necessary to avoid
|
|
buffer overruns.
|
|
</p>
|
|
|
|
<p>
|
|
The query looks only at the return values of functions that may return a negative value (not all functions).
|
|
</p>
|
|
|
|
<include src="dataFlowWarning.inc.qhelp" />
|
|
</overview>
|
|
|
|
<recommendation>
|
|
<p>
|
|
Review the function. Determine whether it needs to check that the value is positive before performing pointer arithmetic.
|
|
</p>
|
|
</recommendation>
|
|
|
|
<example>
|
|
<p>The example below shows an example of this problem. There is no check to ensure that the value of <code>recordIdx</code>
|
|
is positive and safe to use as an array offset.
|
|
</p>
|
|
|
|
<sample src="MissingNegativityTest.cpp" />
|
|
</example>
|
|
|
|
<references>
|
|
<li>cplusplus.com: <a href="http://www.cplusplus.com/doc/tutorial/pointers/">Pointers</a>.</li>
|
|
<li>SEI CERT C Coding Standard: <a href="https://wiki.sei.cmu.edu/confluence/display/c/ARR30-C.+Do+not+form+or+use+out-of-bounds+pointers+or+array+subscripts">ARR30-C. Do not form or use out-of-bounds pointers or array subscripts</a>.</li>
|
|
</references>
|
|
</qhelp>
|