C++: Add cpp/invalid-pointer-def FP test case

jketema · jketema · commit 9ff575447363 · 2023-06-16T16:48:24.000+02:00
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
@@ -785,6 +785,9 @@ edges
 | test.cpp:417:16:417:33 | new[] | test.cpp:419:7:419:8 | xs |
 | test.cpp:419:7:419:8 | xs | test.cpp:419:7:419:11 | access to array |
 | test.cpp:419:7:419:11 | access to array | test.cpp:419:7:419:15 | Store: ... = ... |
+| test.cpp:427:14:427:27 | new[] | test.cpp:433:5:433:6 | xs |
+| test.cpp:433:5:433:6 | xs | test.cpp:433:5:433:17 | access to array |
+| test.cpp:433:5:433:17 | access to array | test.cpp:433:5:433:21 | Store: ... = ... |
 nodes
 | test.cpp:4:15:4:20 | call to malloc | semmle.label | call to malloc |
 | test.cpp:5:15:5:15 | p | semmle.label | p |
@@ -1150,6 +1153,10 @@ nodes
 | test.cpp:419:7:419:8 | xs | semmle.label | xs |
 | test.cpp:419:7:419:11 | access to array | semmle.label | access to array |
 | test.cpp:419:7:419:15 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:427:14:427:27 | new[] | semmle.label | new[] |
+| test.cpp:433:5:433:6 | xs | semmle.label | xs |
+| test.cpp:433:5:433:17 | access to array | semmle.label | access to array |
+| test.cpp:433:5:433:21 | Store: ... = ... | semmle.label | Store: ... = ... |
 subpaths
 #select
 | test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
@@ -1179,3 +1186,4 @@ subpaths
 | test.cpp:395:5:395:13 | Store: ... = ... | test.cpp:388:14:388:27 | new[] | test.cpp:395:5:395:13 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:388:14:388:27 | new[] | new[] | test.cpp:389:19:389:22 | size | size |
 | test.cpp:407:3:407:22 | Store: ... = ... | test.cpp:404:12:404:25 | new[] | test.cpp:407:3:407:22 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:404:12:404:25 | new[] | new[] | test.cpp:407:10:407:17 | ... - ... | ... - ... |
 | test.cpp:419:7:419:15 | Store: ... = ... | test.cpp:417:16:417:33 | new[] | test.cpp:419:7:419:15 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:417:16:417:33 | new[] | new[] | test.cpp:419:10:419:10 | i | i |
+| test.cpp:433:5:433:21 | Store: ... = ... | test.cpp:427:14:427:27 | new[] | test.cpp:433:5:433:21 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:427:14:427:27 | new[] | new[] | test.cpp:433:8:433:16 | ... ++ | ... ++ |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
@@ -421,3 +421,15 @@ void test30(int *size)
   }
   *size = new_size;
 }
+
+void test31(unsigned size, unsigned src_pos)
+{
+  char *xs = new char[size];
+  if (src_pos > size) {
+    src_pos = size;
+  }
+  unsigned dst_pos = src_pos;
+  if(dst_pos < size - 3) {
+    xs[dst_pos++] = 0; // GOOD [FALSE POSITIVE]
+  }
+}
