C++: Add tests exposing some FP's for OverflowStatic query

andersfugmann · andersfugmann · commit 4ab9b81a9a82 · 2021-09-13T11:09:56.000+02:00
diff --git a/cpp/ql/test/query-tests/Critical/OverflowStatic/OverflowStatic.expected b/cpp/ql/test/query-tests/Critical/OverflowStatic/OverflowStatic.expected
@@ -9,6 +9,15 @@
 | test.c:15:9:15:13 | access to array | Potential buffer-overflow: 'xs' has size 5 but 'xs[6]' is accessed here. |
 | test.c:20:9:20:18 | access to array | Potential buffer-overflow: 'ys' has size 5 but 'ys[5]' is accessed here. |
 | test.c:21:9:21:18 | access to array | Potential buffer-overflow: 'ys' has size 5 but 'ys[6]' is accessed here. |
+| test.c:39:3:39:11 | access to array | Potential buffer-overflow: 'buf' has size 1 but 'buf[7]' is accessed here. |
+| test.c:40:3:40:11 | access to array | Potential buffer-overflow: 'buf' has size 1 but 'buf[8]' is accessed here. |
+| test.c:51:3:51:20 | access to array | Potential buffer-overflow: 'ptr' has size 1 but 'ptr[7]' is accessed here. |
+| test.c:52:3:52:18 | access to array | Potential buffer-overflow: 'ptr' has size 1 but 'ptr[8]' is accessed here. |
+| test.c:58:3:58:28 | access to array | Potential buffer-overflow: 'ptr' has size 1 but 'ptr[7]' is accessed here. |
+| test.c:59:3:59:26 | access to array | Potential buffer-overflow: 'ptr' has size 1 but 'ptr[8]' is accessed here. |
+| test.c:65:3:65:20 | access to array | Potential buffer-overflow: 'ptr' has size 1 but 'ptr[7]' is accessed here. |
+| test.c:66:3:66:18 | access to array | Potential buffer-overflow: 'ptr' has size 1 but 'ptr[8]' is accessed here. |
+| test.c:72:3:72:11 | access to array | Potential buffer-overflow: 'buf' has size 1 but 'buf[1]' is accessed here. |
 | test.cpp:19:3:19:12 | access to array | Potential buffer-overflow: counter 'i' <= 3 but 'buffer1' has 3 elements. |
 | test.cpp:20:3:20:12 | access to array | Potential buffer-overflow: counter 'i' <= 3 but 'buffer2' has 3 elements. |
 | test.cpp:24:27:24:27 | 4 | Potential buffer-overflow: 'buffer1' has size 3 not 4. |
diff --git a/cpp/ql/test/query-tests/Critical/OverflowStatic/test.c b/cpp/ql/test/query-tests/Critical/OverflowStatic/test.c
@@ -27,3 +27,47 @@ void f(void) {
     c = stru.zs[6]; // GOOD (zs is variable size)
 }
 
+void* malloc(long unsigned int);
+typedef struct {
+    char len;
+    char buf[1];
+} var_buf;
+
+void test_buffer_sentinal() {
+  var_buf *b = malloc(10); // len(buf.buffer) effectively 8
+  b->buf[0] = 0; // GOOD
+  b->buf[7] = 0; // GOOD [FALSE POSITIVE]
+  b->buf[8] = 0; // BAD
+}
+
+union u {
+  unsigned long value;
+  char ptr[1];
+};
+
+void union_test() {
+  union u u;
+  u.ptr[0] = 0; // GOOD
+  u.ptr[sizeof(u)-1] = 0; // GOOD [FALSE POSITIVE]
+  u.ptr[sizeof(u)] = 0; // BAD
+}
+
+void test_struct_union() {
+  struct { union u u; } v;
+  v.u.ptr[0] = 0; // GOOD
+  v.u.ptr[sizeof(union u)-1] = 0; // GOOD [FALSE POSITIVE]
+  v.u.ptr[sizeof(union u)] = 0; // BAD
+}
+
+void union_test2() {
+  union { char ptr[1]; unsigned long value; } u;
+  u.ptr[0] = 0; // GOOD
+  u.ptr[sizeof(u)-1] = 0; // GOOD [FALSE POSITIVE]
+  u.ptr[sizeof(u)] = 0; // BAD
+}
+
+void test_alloc() {
+  // Special case of taking sizeof without any addition or multiplications
+  var_buf *b = malloc(sizeof(var_buf));
+  b->buf[1] = 0; // BAD
+}
