Skip to content

Commit 01b357e

Browse files
ihsinmeihsinme
authored
Update DivideByZeroUsingReturnValue.ql
1 parent 392c948 commit 01b357e

File tree

1 file changed

+13
-19
lines changed

1 file changed

+13
-19
lines changed

cpp/ql/src/experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql

Lines changed: 13 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -15,9 +15,9 @@ import semmle.code.cpp.valuenumbering.GlobalValueNumbering
1515
import semmle.code.cpp.controlflow.Guards
1616

1717
/** Holds if function `fn` can return a value equal to value `val` */
18-
predicate mayBeReturnValue(Function fn, Expr val) {
18+
predicate mayBeReturnValue(Function fn, float val) {
1919
exists(Expr tmpExp, ReturnStmt rs |
20-
tmpExp.getValue().toFloat() = val.getValue().toFloat() and
20+
tmpExp.getValue().toFloat() = val and
2121
rs.getEnclosingFunction() = fn and
2222
(
2323
globalValueNumber(rs.getExpr()) = globalValueNumber(tmpExp)
@@ -39,7 +39,7 @@ predicate mayBeReturnValue(Function fn, Expr val) {
3939

4040
/** Holds if function `fn` can return a value equal zero */
4141
predicate mayBeReturnZero(Function fn) {
42-
exists(Expr zr | zr.getValue().toFloat() = 0 and mayBeReturnValue(fn, zr))
42+
mayBeReturnValue(fn, 0)
4343
or
4444
fn.hasName([
4545
"iswalpha", "iswlower", "iswprint", "iswspace", "iswblank", "iswupper", "iswcntrl",
@@ -101,7 +101,7 @@ predicate compareFunctionWithValue(Expr guardExp, Function compArg, Expr valArg)
101101
if valArg.getValue().toFloat() = 0
102102
then
103103
exists(NotExpr ne, IfStmt ifne |
104-
globalValueNumber(ne.getOperand()) = globalValueNumber(compArg.getACallToThisFunction()) and
104+
ne.getOperand() = globalValueNumber(compArg.getACallToThisFunction()).getAnExpr() and
105105
ifne.getCondition() = ne and
106106
ifne.getThen().getAChild*() = guardExp
107107
)
@@ -152,7 +152,7 @@ predicate compareExprWithValue(Expr guardExp, Expr compArg, Expr valArg) {
152152
if valArg.getValue().toFloat() = 0
153153
then
154154
exists(NotExpr ne, IfStmt ifne |
155-
globalValueNumber(ne.getOperand()) = globalValueNumber(compArg) and
155+
ne.getOperand() = globalValueNumber(compArg).getAnExpr() and
156156
ifne.getCondition() = ne and
157157
ifne.getThen().getAChild*() = guardExp
158158
)
@@ -222,10 +222,8 @@ where
222222
changeInt = 0
223223
or
224224
// Denominator can be sum or difference.
225-
exists(Expr changeExpr |
226-
mayBeReturnValue(fn, changeExpr) and
227-
changeInt = getValueOperand(div.getRV(), findVal, changeExpr)
228-
)
225+
changeInt = getValueOperand(div.getRV(), findVal, _) and
226+
mayBeReturnValue(fn, changeInt)
229227
) and
230228
exp = div and
231229
msg =
@@ -249,19 +247,15 @@ where
249247
changeInt2 = 0
250248
or
251249
// Denominator can be sum or difference.
252-
exists(Expr changeExpr |
253-
mayBeReturnValue(fn, changeExpr) and
254-
changeInt = getValueOperand(divFc.getArgument(posArg), findVal, changeExpr) and
255-
changeInt2 = 0
256-
)
250+
changeInt = getValueOperand(divFc.getArgument(posArg), findVal, _) and
251+
mayBeReturnValue(fn, changeInt) and
252+
changeInt2 = 0
257253
)
258254
or
259255
// Look for a situation where the difference or subtraction is considered as an argument, and it can be used in the same way.
260-
exists(Expr changeExpr |
261-
changeInt = getValueOperand(div.getRV(), divVal, changeExpr) and
262-
changeInt2 = changeInt and
263-
mayBeReturnValue(fn, changeExpr)
264-
) and
256+
changeInt = getValueOperand(div.getRV(), divVal, _) and
257+
changeInt2 = changeInt and
258+
mayBeReturnValue(fn, changeInt) and
265259
divFc.getArgument(posArg) = findVal
266260
) and
267261
checkConditions2(div, divVal, changeInt2) and

0 commit comments

Comments
 (0)