mirror of
https://github.com/github/codeql.git
synced 2026-06-15 18:01:10 +02:00
42 lines
1.4 KiB
Plaintext
42 lines
1.4 KiB
Plaintext
/**
|
|
* @name Potential buffer overflow
|
|
* @description Using a library function that does not check buffer bounds
|
|
* requires the surrounding program to be very carefully written
|
|
* to avoid buffer overflows.
|
|
* @kind problem
|
|
* @id cpp/potential-buffer-overflow
|
|
* @problem.severity warning
|
|
* @tags reliability
|
|
* security
|
|
* external/cwe/cwe-676
|
|
* @deprecated This query is deprecated, use
|
|
* Potentially overrunning write (`cpp/overrunning-write`) and
|
|
* Potentially overrunning write with float to string conversion
|
|
* (`cpp/overrunning-write-with-float) instead.
|
|
*/
|
|
|
|
import cpp
|
|
import semmle.code.cpp.commons.Buffer
|
|
|
|
class SprintfCall extends FunctionCall {
|
|
SprintfCall() { this.getTarget().hasName("sprintf") or this.getTarget().hasName("vsprintf") }
|
|
|
|
int getBufferSize() { result = getBufferSize(this.getArgument(0), _) }
|
|
|
|
int getMaxConvertedLength() {
|
|
result = this.getArgument(1).(FormatLiteral).getMaxConvertedLength()
|
|
}
|
|
|
|
predicate isDangerous() { this.getMaxConvertedLength() > this.getBufferSize() }
|
|
|
|
string getDescription() {
|
|
result =
|
|
"This conversion may yield a string of length " + this.getMaxConvertedLength().toString() +
|
|
", which exceeds the allocated buffer size of " + this.getBufferSize().toString()
|
|
}
|
|
}
|
|
|
|
from SprintfCall c
|
|
where c.isDangerous()
|
|
select c, c.getDescription()
|