C++: add paths to ArrayAccessProductFlow

rdmarsh2 · rdmarsh2 · commit fcd0bb13b333 · 2022-09-21T12:37:31.000-04:00
diff --git a/cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql b/cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql
@@ -1,3 +1,8 @@
+/**
+ * @id cpp/off-by-one-array-access
+ * @kind path-problem
+ */
+
 import cpp
 import experimental.semmle.code.cpp.dataflow.ProductFlow
 import experimental.semmle.code.cpp.semantic.analysis.RangeAnalysis
@@ -8,13 +13,22 @@ import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 import semmle.code.cpp.models.interfaces.Allocation
 import semmle.code.cpp.ir.IRConfiguration
 
+import DataFlow::PathGraph
+
 // temporary - custom allocator for ffmpeg
 class AvBufferAlloc extends AllocationFunction {
   AvBufferAlloc() { this.hasGlobalName(["av_mallocz", "av_malloc"]) }
 
   override int getSizeArg() { result = 0 }
 }
 
+// temporary - custom allocator for php
+class PhpEmalloc extends AllocationFunction {
+  PhpEmalloc() { this.hasGlobalName(["_emalloc"]) }
+
+  override int getSizeArg() { result = 0 }
+}
+
 predicate bounded(Instruction i, Bound b, int delta, boolean upper) {
   // TODO: reason
   semBounded(getSemanticExpr(i), b, delta, upper, _)
@@ -61,4 +75,5 @@ from
   DataFlow::PathNode sink1, DataFlow2::PathNode sink2
 where conf.hasFlowPath(source1, source2, sink1, sink2)
 // TODO: pull delta out and display it
-select source1, source2, sink1, sink2
+select sink1, source1, sink1, "off-by one error allocated at $@ bounded by $@", source1, source1,
+  sink2, sink2
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected
@@ -1,2 +1,100 @@
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | Load | test.cpp:5:25:5:28 | Load |
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | Load | test.cpp:9:26:9:29 | Load |
+edges
+| test.cpp:4:17:4:22 | call to malloc | test.cpp:6:9:6:11 | Load |
+| test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | Load |
+| test.cpp:19:9:19:16 | VariableAddress indirection [p] | test.cpp:31:9:31:11 | arr indirection [p] |
+| test.cpp:19:9:19:16 | VariableAddress indirection [p] | test.cpp:35:9:35:11 | arr indirection [p] |
+| test.cpp:19:9:19:16 | VariableAddress indirection [p] | test.cpp:50:18:50:25 | call to mk_array [p] |
+| test.cpp:22:5:22:24 | Store | test.cpp:22:9:22:9 | arr indirection [post update] [p] |
+| test.cpp:22:9:22:9 | arr indirection [post update] [p] | test.cpp:19:9:19:16 | VariableAddress indirection [p] |
+| test.cpp:22:13:22:18 | call to malloc | test.cpp:22:5:22:24 | Store |
+| test.cpp:31:9:31:11 | arr indirection [p] | test.cpp:31:13:31:13 | p |
+| test.cpp:31:13:31:13 | p | test.cpp:31:13:31:13 | Load |
+| test.cpp:35:9:35:11 | arr indirection [p] | test.cpp:35:13:35:13 | p |
+| test.cpp:35:13:35:13 | p | test.cpp:35:13:35:13 | Load |
+| test.cpp:39:27:39:29 | arr [p] | test.cpp:41:9:41:11 | arr indirection [p] |
+| test.cpp:39:27:39:29 | arr [p] | test.cpp:45:9:45:11 | arr indirection [p] |
+| test.cpp:41:9:41:11 | arr indirection [p] | test.cpp:41:13:41:13 | p |
+| test.cpp:41:13:41:13 | p | test.cpp:41:13:41:13 | Load |
+| test.cpp:45:9:45:11 | arr indirection [p] | test.cpp:45:13:45:13 | p |
+| test.cpp:45:13:45:13 | p | test.cpp:45:13:45:13 | Load |
+| test.cpp:50:18:50:25 | call to mk_array [p] | test.cpp:39:27:39:29 | arr [p] |
+| test.cpp:56:5:56:24 | Store | test.cpp:56:9:56:9 | arr indirection [post update] [p] |
+| test.cpp:56:9:56:9 | arr indirection [post update] [p] | test.cpp:59:9:59:11 | arr indirection [p] |
+| test.cpp:56:9:56:9 | arr indirection [post update] [p] | test.cpp:63:9:63:11 | arr indirection [p] |
+| test.cpp:56:13:56:18 | call to malloc | test.cpp:56:5:56:24 | Store |
+| test.cpp:59:9:59:11 | arr indirection [p] | test.cpp:59:13:59:13 | p |
+| test.cpp:59:13:59:13 | p | test.cpp:59:13:59:13 | Load |
+| test.cpp:63:9:63:11 | arr indirection [p] | test.cpp:63:13:63:13 | p |
+| test.cpp:63:13:63:13 | p | test.cpp:63:13:63:13 | Load |
+| test.cpp:67:10:67:19 | VariableAddress indirection [p] | test.cpp:76:20:76:29 | Call indirection [p] |
+| test.cpp:67:10:67:19 | VariableAddress indirection [p] | test.cpp:98:18:98:27 | call to mk_array_p indirection [p] |
+| test.cpp:70:5:70:25 | Store | test.cpp:70:10:70:10 | Load indirection [post update] [p] |
+| test.cpp:70:10:70:10 | Load indirection [post update] [p] | test.cpp:67:10:67:19 | VariableAddress indirection [p] |
+| test.cpp:70:14:70:19 | call to malloc | test.cpp:70:5:70:25 | Store |
+| test.cpp:76:20:76:29 | Call indirection [p] | test.cpp:79:9:79:11 | Load indirection [p] |
+| test.cpp:76:20:76:29 | Call indirection [p] | test.cpp:83:9:83:11 | Load indirection [p] |
+| test.cpp:79:9:79:11 | Load indirection [p] | test.cpp:79:14:79:14 | p |
+| test.cpp:79:14:79:14 | p | test.cpp:79:14:79:14 | Load |
+| test.cpp:83:9:83:11 | Load indirection [p] | test.cpp:83:14:83:14 | p |
+| test.cpp:83:14:83:14 | p | test.cpp:83:14:83:14 | Load |
+| test.cpp:87:28:87:30 | arr indirection [p] | test.cpp:89:9:89:11 | Load indirection [p] |
+| test.cpp:87:28:87:30 | arr indirection [p] | test.cpp:93:9:93:11 | Load indirection [p] |
+| test.cpp:89:9:89:11 | Load indirection [p] | test.cpp:89:14:89:14 | p |
+| test.cpp:89:14:89:14 | p | test.cpp:89:14:89:14 | Load |
+| test.cpp:93:9:93:11 | Load indirection [p] | test.cpp:93:14:93:14 | p |
+| test.cpp:93:14:93:14 | p | test.cpp:93:14:93:14 | Load |
+| test.cpp:98:18:98:27 | call to mk_array_p indirection [p] | test.cpp:87:28:87:30 | arr indirection [p] |
+nodes
+| test.cpp:4:17:4:22 | call to malloc | semmle.label | call to malloc |
+| test.cpp:6:9:6:11 | Load | semmle.label | Load |
+| test.cpp:10:9:10:11 | Load | semmle.label | Load |
+| test.cpp:19:9:19:16 | VariableAddress indirection [p] | semmle.label | VariableAddress indirection [p] |
+| test.cpp:22:5:22:24 | Store | semmle.label | Store |
+| test.cpp:22:9:22:9 | arr indirection [post update] [p] | semmle.label | arr indirection [post update] [p] |
+| test.cpp:22:13:22:18 | call to malloc | semmle.label | call to malloc |
+| test.cpp:31:9:31:11 | arr indirection [p] | semmle.label | arr indirection [p] |
+| test.cpp:31:13:31:13 | Load | semmle.label | Load |
+| test.cpp:31:13:31:13 | p | semmle.label | p |
+| test.cpp:35:9:35:11 | arr indirection [p] | semmle.label | arr indirection [p] |
+| test.cpp:35:13:35:13 | Load | semmle.label | Load |
+| test.cpp:35:13:35:13 | p | semmle.label | p |
+| test.cpp:39:27:39:29 | arr [p] | semmle.label | arr [p] |
+| test.cpp:41:9:41:11 | arr indirection [p] | semmle.label | arr indirection [p] |
+| test.cpp:41:13:41:13 | Load | semmle.label | Load |
+| test.cpp:41:13:41:13 | p | semmle.label | p |
+| test.cpp:45:9:45:11 | arr indirection [p] | semmle.label | arr indirection [p] |
+| test.cpp:45:13:45:13 | Load | semmle.label | Load |
+| test.cpp:45:13:45:13 | p | semmle.label | p |
+| test.cpp:50:18:50:25 | call to mk_array [p] | semmle.label | call to mk_array [p] |
+| test.cpp:56:5:56:24 | Store | semmle.label | Store |
+| test.cpp:56:9:56:9 | arr indirection [post update] [p] | semmle.label | arr indirection [post update] [p] |
+| test.cpp:56:13:56:18 | call to malloc | semmle.label | call to malloc |
+| test.cpp:59:9:59:11 | arr indirection [p] | semmle.label | arr indirection [p] |
+| test.cpp:59:13:59:13 | Load | semmle.label | Load |
+| test.cpp:59:13:59:13 | p | semmle.label | p |
+| test.cpp:63:9:63:11 | arr indirection [p] | semmle.label | arr indirection [p] |
+| test.cpp:63:13:63:13 | Load | semmle.label | Load |
+| test.cpp:63:13:63:13 | p | semmle.label | p |
+| test.cpp:67:10:67:19 | VariableAddress indirection [p] | semmle.label | VariableAddress indirection [p] |
+| test.cpp:70:5:70:25 | Store | semmle.label | Store |
+| test.cpp:70:10:70:10 | Load indirection [post update] [p] | semmle.label | Load indirection [post update] [p] |
+| test.cpp:70:14:70:19 | call to malloc | semmle.label | call to malloc |
+| test.cpp:76:20:76:29 | Call indirection [p] | semmle.label | Call indirection [p] |
+| test.cpp:79:9:79:11 | Load indirection [p] | semmle.label | Load indirection [p] |
+| test.cpp:79:14:79:14 | Load | semmle.label | Load |
+| test.cpp:79:14:79:14 | p | semmle.label | p |
+| test.cpp:83:9:83:11 | Load indirection [p] | semmle.label | Load indirection [p] |
+| test.cpp:83:14:83:14 | Load | semmle.label | Load |
+| test.cpp:83:14:83:14 | p | semmle.label | p |
+| test.cpp:87:28:87:30 | arr indirection [p] | semmle.label | arr indirection [p] |
+| test.cpp:89:9:89:11 | Load indirection [p] | semmle.label | Load indirection [p] |
+| test.cpp:89:14:89:14 | Load | semmle.label | Load |
+| test.cpp:89:14:89:14 | p | semmle.label | p |
+| test.cpp:93:9:93:11 | Load indirection [p] | semmle.label | Load indirection [p] |
+| test.cpp:93:14:93:14 | Load | semmle.label | Load |
+| test.cpp:93:14:93:14 | p | semmle.label | p |
+| test.cpp:98:18:98:27 | call to mk_array_p indirection [p] | semmle.label | call to mk_array_p indirection [p] |
+subpaths
+#select
+| test.cpp:10:9:10:11 | Load | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | Load | off-by one error allocated at $@ bounded by $@ | test.cpp:4:17:4:22 | call to malloc | test.cpp:4:17:4:22 | call to malloc | test.cpp:5:25:5:28 | Load | test.cpp:5:25:5:28 | Load |
+| test.cpp:10:9:10:11 | Load | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | Load | off-by one error allocated at $@ bounded by $@ | test.cpp:4:17:4:22 | call to malloc | test.cpp:4:17:4:22 | call to malloc | test.cpp:9:26:9:29 | Load | test.cpp:9:26:9:29 | Load |
