C++: Add FP test case for cpp/invalid-pointer-deref

jketema · jketema · commit 8fb3d838c95d · 2023-06-15T10:03:31.000+02:00
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
@@ -748,6 +748,30 @@ edges
 | test.cpp:381:5:381:9 | ... ++ | test.cpp:384:14:384:16 | end |
 | test.cpp:381:5:381:9 | ... ++ | test.cpp:384:14:384:16 | end |
 | test.cpp:384:14:384:16 | end | test.cpp:384:13:384:16 | Load: * ... |
+| test.cpp:388:14:388:27 | new[] | test.cpp:389:16:389:17 | xs |
+| test.cpp:388:14:388:27 | new[] | test.cpp:392:5:392:6 | xs |
+| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:389:16:389:17 | xs | test.cpp:393:9:393:10 | xs |
+| test.cpp:389:16:389:17 | xs | test.cpp:393:9:393:10 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:6 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:6 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:6 | xs |
+| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:395:5:395:6 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
 nodes
 | test.cpp:4:15:4:20 | call to malloc | semmle.label | call to malloc |
 | test.cpp:5:15:5:15 | p | semmle.label | p |
@@ -1087,6 +1111,17 @@ nodes
 | test.cpp:381:5:381:9 | ... ++ | semmle.label | ... ++ |
 | test.cpp:384:13:384:16 | Load: * ... | semmle.label | Load: * ... |
 | test.cpp:384:14:384:16 | end | semmle.label | end |
+| test.cpp:388:14:388:27 | new[] | semmle.label | new[] |
+| test.cpp:389:16:389:17 | xs | semmle.label | xs |
+| test.cpp:392:5:392:6 | xs | semmle.label | xs |
+| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:393:9:393:10 | xs | semmle.label | xs |
+| test.cpp:393:9:393:10 | xs | semmle.label | xs |
+| test.cpp:395:5:395:6 | xs | semmle.label | xs |
+| test.cpp:395:5:395:13 | Store: ... = ... | semmle.label | Store: ... = ... |
 subpaths
 #select
 | test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
@@ -1113,3 +1148,4 @@ subpaths
 | test.cpp:359:14:359:32 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:359:14:359:32 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 2. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
 | test.cpp:372:15:372:16 | Load: * ... | test.cpp:363:14:363:27 | new[] | test.cpp:372:15:372:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:363:14:363:27 | new[] | new[] | test.cpp:365:19:365:22 | size | size |
 | test.cpp:384:13:384:16 | Load: * ... | test.cpp:377:14:377:27 | new[] | test.cpp:384:13:384:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:377:14:377:27 | new[] | new[] | test.cpp:378:20:378:23 | size | size |
+| test.cpp:395:5:395:13 | Store: ... = ... | test.cpp:388:14:388:27 | new[] | test.cpp:395:5:395:13 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:388:14:388:27 | new[] | new[] | test.cpp:389:19:389:22 | size | size |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
@@ -383,3 +383,14 @@ void test27(unsigned size, bool b) {
 
   int val = *end; // BAD
 }
+
+void test28(unsigned size) {
+  char *xs = new char[size];
+  char *end = &xs[size];
+    if (xs >= end)
+      return;
+    xs++;
+    if (xs >= end)
+      return;
+    xs[0] = 0;  // GOOD [FALSE POSITIVE]
+}
