IntegerOverflow: Implement INT31-C

Adds a query to detect conversions which could potentially lead to data
loss. This covers both explicit/implicit casts, and also calls to
functions which internal convert values.

Author: lcartey

c/cert/src/rules/INT31-C/IntegerConversionCausesDataLoss.md

@@ -0,0 +1,18 @@
+# INT31-C: Ensure that integer conversions do not result in lost or misinterpreted data
+
+This query implements the CERT-C rule INT31-C:
+
+> Ensure that integer conversions do not result in lost or misinterpreted data
+
+
+## CERT
+
+** REPLACE THIS BY RUNNING THE SCRIPT `scripts/help/cert-help-extraction.py` **
+
+## Implementation notes
+
+None
+
+## References
+
+* CERT-C: [INT31-C: Ensure that integer conversions do not result in lost or misinterpreted data](https://wiki.sei.cmu.edu/confluence/display/c)

c/cert/src/rules/INT31-C/IntegerConversionCausesDataLoss.ql

@@ -0,0 +1,88 @@
+/**
+ * @id c/cert/integer-conversion-causes-data-loss
+ * @name INT31-C: Ensure that integer conversions do not result in lost or misinterpreted data
+ * @description
+ * @kind problem
+ * @precision high
+ * @problem.severity error
+ * @tags external/cert/id/int31-c
+ *       correctness
+ *       external/cert/obligation/rule
+ */
+
+import cpp
+import codingstandards.c.cert
+
+class IntegerConversion extends Expr {
+  private IntegralType castedToType;
+  private Expr preConversionExpr;
+
+  IntegerConversion() {
+    // This is an explicit cast
+    castedToType = this.(Cast).getActualType() and
+    preConversionExpr = this.(Cast).getExpr()
+    or
+    // Functions that internally cast an argument to unsigned char
+    castedToType instanceof UnsignedCharType and
+    this = preConversionExpr and
+    exists(FunctionCall call, string name | call.getTarget().hasGlobalOrStdName(name) |
+      name = ["ungetc", "fputc"] and
+      this = call.getArgument(0)
+      or
+      name = ["memset", "memchr"] and
+      this = call.getArgument(1)
+      or
+      name = "memset_s" and
+      this = call.getArgument(2)
+    )
+  }
+
+  Expr getPreConversionExpr() { result = preConversionExpr }
+
+  Type getCastedToType() { result = castedToType }
+}
+
+bindingset[value]
+predicate withinIntegralRange(IntegralType typ, float value) {
+  exists(float lb, float ub, float limit |
+    limit = 2.pow(8 * typ.getSize()) and
+    (
+      if typ.isUnsigned()
+      then (
+        lb = 0 and ub = limit - 1
+      ) else (
+        lb = -limit / 2 and
+        ub = (limit / 2) - 1
+      )
+    ) and
+    value >= lb and
+    value <= ub
+  )
+}
+
+from IntegerConversion c, Expr preConversionExpr
+where
+  not isExcluded(c, IntegerOverflowPackage::integerConversionCausesDataLossQuery()) and
+  preConversionExpr = c.getPreConversionExpr() and
+  // Casting from an integral type
+  preConversionExpr.getType().getUnspecifiedType() instanceof IntegralType and
+  // Where the result is not within the range of the target type
+  (
+    not withinIntegralRange(c.getCastedToType(), lowerBound(preConversionExpr)) or
+    not withinIntegralRange(c.getCastedToType(), upperBound(preConversionExpr))
+  ) and
+  // A conversion of `-1` to `time_t` is permitted by the standard
+  not (
+    c.getType().getUnspecifiedType().hasName("time_t") and
+    preConversionExpr.getValue() = "-1"
+  ) and
+  // Conversion to unsigned char is permitted from the range [SCHAR_MIN..UCHAR_MAX], as those can
+  // legitimately represent characters
+  not (
+    c.getType().getUnspecifiedType() instanceof UnsignedCharType and
+    lowerBound(preConversionExpr) >= typeLowerBound(any(SignedCharType s)) and
+    upperBound(preConversionExpr) <= typeUpperBound(any(UnsignedCharType s))
+  )
+select c,
+  "Conversion from " + c.getPreConversionExpr().getType() + " to " + c.getCastedToType() +
+    " may cause data loss."

c/cert/test/rules/INT31-C/IntegerConversionCausesDataLoss.expected

@@ -0,0 +1,13 @@
+WARNING: Unused predicate test (/home/luke/git/codeql-coding-standards/c/cert/src/rules/INT31-C/IntegerConversionCausesDataLoss.ql:63,11-15)
+WARNING: Unused predicate withinIntegralRange (/home/luke/git/codeql-coding-standards/c/cert/src/rules/INT31-C/IntegerConversionCausesDataLoss.ql:65,11-30)
+| test.c:7:3:7:15 | (signed int)... | Conversion from unsigned int to signed int may cause data loss. |
+| test.c:17:3:17:17 | (unsigned int)... | Conversion from signed int to unsigned int may cause data loss. |
+| test.c:34:3:34:17 | (signed short)... | Conversion from signed int to signed short may cause data loss. |
+| test.c:51:3:51:19 | (unsigned short)... | Conversion from unsigned int to unsigned short may cause data loss. |
+| test.c:89:3:89:19 | (unsigned char)... | Conversion from signed int to unsigned char may cause data loss. |
+| test.c:92:3:92:19 | (unsigned char)... | Conversion from signed int to unsigned char may cause data loss. |
+| test.c:93:3:93:19 | (unsigned char)... | Conversion from signed int to unsigned char may cause data loss. |
+| test.c:97:9:97:12 | 4096 | Conversion from int to unsigned char may cause data loss. |
+| test.c:99:10:99:13 | 4096 | Conversion from int to unsigned char may cause data loss. |
+| test.c:101:13:101:16 | 4096 | Conversion from int to unsigned char may cause data loss. |
+| test.c:103:13:103:16 | 4096 | Conversion from int to unsigned char may cause data loss. |

c/cert/test/rules/INT31-C/IntegerConversionCausesDataLoss.qlref

@@ -0,0 +1 @@
+rules/INT31-C/IntegerConversionCausesDataLoss.ql

c/cert/test/rules/INT31-C/test.c

@@ -0,0 +1,108 @@
+#include <limits.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <string.h>
+
+void test_unsigned_to_signed(unsigned int x) {
+  (signed int)x; // NON_COMPLIANT - not larger enough to represent all
+}
+
+void test_unsigned_to_signed_check(unsigned int x) {
+  if (x <= INT_MAX) {
+    (signed int)x; // COMPLIANT
+  }
+}
+
+void test_signed_to_unsigned(signed int x) {
+  (unsigned int)x; // NON_COMPLIANT - not large enough to represent all
+}
+
+void test_signed_to_unsigned_check(signed int x) {
+  if (x >= 0) {
+    (unsigned int)x; // COMPLIANT
+  }
+}
+
+void test_signed_to_unsigned_check2(signed int x) {
+  if (x < 0) {
+  } else {
+    (unsigned int)x; // COMPLIANT
+  }
+}
+
+void test_signed_loss_of_precision(signed int x) {
+  (signed short)x; // NON_COMPLIANT - not large enough to represent all
+}
+
+void test_signed_loss_of_precision_check(signed int x) {
+  if (x >= SHRT_MIN && x <= SHRT_MAX) {
+    (signed short)x; // COMPLIANT
+  }
+}
+
+void test_signed_loss_of_precision_check2(signed int x) {
+  if (x < SHRT_MIN || x > SHRT_MAX) {
+  } else {
+    (signed short)x; // COMPLIANT
+  }
+}
+
+void test_unsigned_loss_of_precision(unsigned int x) {
+  (unsigned short)x; // NON_COMPLIANT - not large enough to represent all
+}
+
+void test_unsigned_loss_of_precision_check(unsigned int x) {
+  if (x <= USHRT_MAX) {
+    (unsigned short)x; // COMPLIANT
+  }
+}
+
+void test_unsigned_loss_of_precision_check2(unsigned int x) {
+  if (x > USHRT_MAX) {
+  } else {
+    (unsigned short)x; // COMPLIANT
+  }
+}
+
+// We create a fake stub here to test the case
+// that time_t is an unsigned type.
+typedef unsigned int time_t;
+time_t time(time_t *seconds);
+
+void test_time_t_check_against_zero(time_t x) {
+  time_t now = time(0);
+  if (now != -1) { // NON_COMPLIANT[FALSE_NEGATIVE] - there is no conversion
+                   // here in our model
+  }
+  if (now != (time_t)-1) { // COMPLIANT
+  }
+}
+
+void test_chars() {
+  signed int i1 = 'A';
+  signed int i2 = 100000;
+  signed int i3 = -128;
+  signed int i4 = 255;
+  signed int i5 = -129;
+  signed int i6 = 256;
+  (unsigned char)i1; // COMPLIANT
+  (unsigned char)i2; // NON_COMPLIANT
+  (unsigned char)i3; // COMPLIANT
+  (unsigned char)i4; // COMPLIANT
+  (unsigned char)i5; // NON_COMPLIANT
+  (unsigned char)i6; // NON_COMPLIANT
+}
+
+void test_funcs(int *a, size_t n) {
+  fputc(4096, stdout); // NON_COMPLIANT
+  fputc('A', stdout);  // COMPLIANT
+  ungetc(4096, stdin); // NON_COMPLIANT
+  ungetc('A', stdin);  // COMPLIANT
+  memchr(a, 4096, n);  // NON_COMPLIANT
+  memchr(a, 'A', n);   // COMPLIANT
+  memset(a, 4096, n);  // NON_COMPLIANT
+  memset(a, 0, n);     // COMPLIANT
+  // not supported in our stdlib, or in any of the compilers
+  // memset_s(a, rn, 4096, n); // NON_COMPLIANT
+  // memset_s(a, rn, 0, n);    // COMPLIANT
+}