Merge pull request github#7625 from geoffw0/nullterm4

MathiasVP · web-flow · commit cb0cc8d8592a · 2022-01-18T11:18:06.000Z
C++: Fix some code duplication.
diff --git a/cpp/ql/lib/semmle/code/cpp/commons/NullTermination.qll b/cpp/ql/lib/semmle/code/cpp/commons/NullTermination.qll
@@ -101,6 +101,21 @@ predicate functionArgumentMustBeNullTerminated(Function f, int i) {
   f instanceof StrcatFunction and i = 0
 }
 
+/**
+ * Holds if `arg` is a string format argument to a formatting function call
+ * `ffc`.
+ */
+predicate formatArgumentMustBeNullTerminated(FormattingFunctionCall ffc, Expr arg) {
+  // String argument to a formatting function (such as `printf`)
+  exists(int n, FormatLiteral fl |
+    ffc.getConversionArgument(n) = arg and
+    fl = ffc.getFormat() and
+    fl.getConversionType(n) instanceof PointerType and // `%s`, `%ws` etc
+    not fl.getConversionType(n) instanceof VoidPointerType and // exclude: `%p`
+    not fl.hasPrecision(n) // exclude: `%.*s`
+  )
+}
+
 /**
  * Holds if `va` is a variable access where the contents must be null terminated.
  */
@@ -113,13 +128,7 @@ predicate variableMustBeNullTerminated(VariableAccess va) {
     )
     or
     // String argument to a formatting function (such as `printf`)
-    exists(int n, FormatLiteral fl |
-      fc.(FormattingFunctionCall).getConversionArgument(n) = va and
-      fl = fc.(FormattingFunctionCall).getFormat() and
-      fl.getConversionType(n) instanceof PointerType and // `%s`, `%ws` etc
-      not fl.getConversionType(n) instanceof VoidPointerType and // exclude: `%p`
-      not fl.hasPrecision(n) // exclude: `%.*s`
-    )
+    formatArgumentMustBeNullTerminated(fc, va)
     or
     // Call to a wrapper function that requires null termination
     // (not itself adding a null terminator)
diff --git a/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql b/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
@@ -19,6 +19,7 @@ import cpp
 import semmle.code.cpp.dataflow.DataFlow
 import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.Allocation
+import semmle.code.cpp.commons.NullTermination
 
 predicate terminationProblem(AllocationExpr malloc, string msg) {
   // malloc(strlen(...))
@@ -35,13 +36,7 @@ predicate terminationProblem(AllocationExpr malloc, string msg) {
       af.hasArrayWithUnknownSize(arg)
       or
       // flows into string argument to a formatting function (such as `printf`)
-      exists(int n, FormatLiteral fl |
-        fc.getArgument(arg) = fc.(FormattingFunctionCall).getConversionArgument(n) and
-        fl = fc.(FormattingFunctionCall).getFormat() and
-        fl.getConversionType(n) instanceof PointerType and // `%s`, `%ws` etc
-        not fl.getConversionType(n) instanceof VoidPointerType and // exclude: `%p`
-        not fl.hasPrecision(n) // exclude: `%.*s`
-      )
+      formatArgumentMustBeNullTerminated(fc, fc.getArgument(arg))
     )
   ) and
   msg = "This allocation does not include space to null-terminate the string."
