C++: Ignore gets'es with incorrect parameter counts

jketema · jketema · commit 66077dc38d4c · 2024-06-04T11:15:07.000+02:00
diff --git a/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql b/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
@@ -17,5 +17,6 @@ import cpp
 from FunctionCall call, Function target
 where
   call.getTarget() = target and
-  target.hasGlobalOrStdName("gets")
+  target.hasGlobalOrStdName("gets") and
+  target.getNumberOfParameters() = 1
 select call, "'gets' does not guard against buffer overflow."
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.c
@@ -36,7 +36,7 @@ char *gets(char *s);
 
 void testGets() {
 	char buf1[1024];
-	char buf2 = malloc(1024);
+	char *buf2 = malloc(1024);
 	char *s;
 
 	gets(buf1); // BAD: use of gets
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.cpp
@@ -0,0 +1,7 @@
+char *gets();
+
+void testOtherGets() {
+	char *s;
+
+	s = gets(); // GOOD: this is not the gets from stdio.h
+}
