C++: Add another FP.

MathiasVP · MathiasVP · commit 432c0b508af9 · 2023-04-27T14:50:29.000+01:00
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
@@ -581,6 +581,11 @@ edges
 | test.cpp:238:20:238:32 | new[] | test.cpp:239:5:239:11 | newname |
 | test.cpp:239:5:239:11 | newname | test.cpp:239:5:239:18 | access to array |
 | test.cpp:239:5:239:18 | access to array | test.cpp:239:5:239:22 | Store: ... = ... |
+| test.cpp:248:24:248:30 | call to realloc | test.cpp:249:9:249:9 | p |
+| test.cpp:248:24:248:30 | call to realloc | test.cpp:250:22:250:22 | p |
+| test.cpp:248:24:248:30 | call to realloc | test.cpp:253:9:253:9 | p |
+| test.cpp:253:9:253:9 | p | test.cpp:253:9:253:12 | access to array |
+| test.cpp:253:9:253:12 | access to array | test.cpp:253:9:253:16 | Store: ... = ... |
 #select
 | test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
 | test.cpp:8:14:8:21 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:8:14:8:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
@@ -601,3 +606,4 @@ edges
 | test.cpp:213:5:213:13 | Store: ... = ... | test.cpp:205:23:205:28 | call to malloc | test.cpp:213:5:213:13 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:205:23:205:28 | call to malloc | call to malloc | test.cpp:206:21:206:23 | len | len |
 | test.cpp:232:3:232:20 | Store: ... = ... | test.cpp:231:18:231:30 | new[] | test.cpp:232:3:232:20 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:231:18:231:30 | new[] | new[] | test.cpp:232:11:232:15 | index | index |
 | test.cpp:239:5:239:22 | Store: ... = ... | test.cpp:238:20:238:32 | new[] | test.cpp:239:5:239:22 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:238:20:238:32 | new[] | new[] | test.cpp:239:13:239:17 | index | index |
+| test.cpp:253:9:253:16 | Store: ... = ... | test.cpp:248:24:248:30 | call to realloc | test.cpp:253:9:253:16 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:248:24:248:30 | call to realloc | call to realloc | test.cpp:253:11:253:11 | i | i |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
@@ -238,4 +238,18 @@ void test16(unsigned index) {
     int* newname = new int[size];
     newname[index] = 0; // GOOD [FALSE POSITIVE]
   }
-}
+}
+
+void *realloc(void *, unsigned);
+
+void test17(unsigned *p, unsigned x, unsigned k) {
+    if(k > 0 && p[1] <= p[0]){
+        unsigned n = 3*p[0] + k;
+        p = (unsigned*)realloc(p, n);
+        p[0] = n;
+        unsigned i = p[1];
+        // The following access is okay because:
+        // n = 2*p[0] + k >= p[0] + k >= p[1] + k > p[1] = i
+        p[i] = x; // GOOD [FALSE POSITIVE]
+    }
+}
