C++: add cpp/very-likely-overruning-write help

redsun82 · web-flow · commit 10b62154a198 · 2022-01-13T11:59:47.000Z
Also update the help of `cpp/overruning-write`, as the case shown there
will actually not be flagged by that query any more.
diff --git a/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.c b/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.c
@@ -1,9 +1,9 @@
-void sayHello()
+void sayHello(uint32_t userId)
 {
-	char buffer[10];
+	char buffer[18];
 
-	// BAD: this message overflows the buffer
-	strcpy(buffer, "Hello, world!");
+	// BAD: this message overflows the buffer if userId >= 10000
+	sprintf(buffer, "Hello, user %d!", userId);
 
 	MessageBox(hWnd, buffer, "New Message", MB_OK);
 }
diff --git a/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.qhelp b/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.qhelp
@@ -13,13 +13,13 @@
 <example>
 <sample src="OverrunWrite.c" />
 
-<p>In this example, the call to <code>strcpy</code> copies a message of 14 characters (including the terminating null) into a buffer with space for just 10 characters.  As such, the last four characters overflow the buffer resulting in undefined behavior.</p>
+<p>In this example, the call to <code>sprintf</code> writes a message of 14 characters (including the terminating null) plus the length of the string conversion of `userId` into a buffer with space for just 18 characters.  As such, if `userId` is greater or equal to `10000`, the last characters overflow the buffer resulting in undefined behavior.</p>
 
-<p>To fix this issue three changes should be made:</p>
+<p>To fix this issue one of three changes should be made:</p>
 <ul>
-  <li>Control the size of the buffer using a preprocessor define.</li>
-  <li>Replace the call to <code>strcpy</code> with <code>strncpy</code>, specifying the define as the maximum length to copy.  This will prevent the buffer overflow.</li>
-  <li>Consider increasing the buffer size, say to 20 characters, so that the message is displayed correctly.</li>
+  <li>Preferably, replace the call to <code>sprintf</code> with <code>snprintf</code>, specifying a define or `sizeof(buffer)` as maximum length to copy. This will prevent the buffer overflow.</li>
+  <li>If `userId` is expected to be less than `10000`, then return or throw an error if `userId` is out of bounds.</li>
+  <li>Consider increasing the buffer size to at least 25 characters, so that the message is displayed correctly regardless of the value of `userId`.</li>
 </ul>
 
 </example>

Original file line number	Diff line number	Diff line change
`@@ -1,9 +1,9 @@`
`1`		`-void sayHello()`
	`1`	`+void sayHello(uint32_t userId)`
`2`	`2`	`{`
`3`		`- char buffer[10];`
	`3`	`+ char buffer[18];`
`4`	`4`
`5`		`- // BAD: this message overflows the buffer`
`6`		`- strcpy(buffer, "Hello, world!");`
	`5`	`+ // BAD: this message overflows the buffer if userId >= 10000`
	`6`	`+ sprintf(buffer, "Hello, user %d!", userId);`
`7`	`7`
`8`	`8`	`MessageBox(hWnd, buffer, "New Message", MB_OK);`
`9`	`9`	`}`