C++: fix typo in Overflow.qll abs handling

rdmarsh2 · rdmarsh2 · commit 4322a39807d3 · 2022-01-07T14:09:47.000-05:00
diff --git a/cpp/ql/lib/semmle/code/cpp/security/Overflow.qll b/cpp/ql/lib/semmle/code/cpp/security/Overflow.qll
@@ -17,7 +17,7 @@ import semmle.code.cpp.controlflow.Guards
 predicate guardedAbs(Operation e, Expr use) {
   exists(FunctionCall fc | fc.getTarget().getName() = ["abs", "labs", "llabs", "imaxabs"] |
     fc.getArgument(0).getAChild*() = use and
-    exists(GuardCondition c | c.ensuresLt(use, _, _, e.getBasicBlock(), true))
+    exists(GuardCondition c | c.ensuresLt(fc, _, _, e.getBasicBlock(), true))
   )
 }
 
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
@@ -7,20 +7,10 @@ edges
 | test5.cpp:5:5:5:17 | ReturnValue | test5.cpp:17:6:17:18 | call to getTaintedInt |
 | test5.cpp:5:5:5:17 | ReturnValue | test5.cpp:17:6:17:18 | call to getTaintedInt |
 | test5.cpp:5:5:5:17 | ReturnValue | test5.cpp:18:6:18:18 | call to getTaintedInt |
-| test5.cpp:5:5:5:17 | ReturnValue | test5.cpp:27:16:27:28 | call to getTaintedInt |
-| test5.cpp:5:5:5:17 | ReturnValue | test5.cpp:37:21:37:33 | call to getTaintedInt |
 | test5.cpp:9:7:9:9 | buf | test5.cpp:5:5:5:17 | ReturnValue |
 | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:5:5:5:17 | ReturnValue |
 | test5.cpp:18:6:18:18 | call to getTaintedInt | test5.cpp:19:6:19:6 | y |
 | test5.cpp:18:6:18:18 | call to getTaintedInt | test5.cpp:19:6:19:6 | y |
-| test5.cpp:27:16:27:28 | call to getTaintedInt | test5.cpp:30:17:30:23 | tainted |
-| test5.cpp:27:16:27:28 | call to getTaintedInt | test5.cpp:30:17:30:23 | tainted |
-| test5.cpp:27:16:27:28 | call to getTaintedInt | test5.cpp:30:27:30:33 | tainted |
-| test5.cpp:27:16:27:28 | call to getTaintedInt | test5.cpp:30:27:30:33 | tainted |
-| test5.cpp:37:21:37:33 | call to getTaintedInt | test5.cpp:40:17:40:23 | tainted |
-| test5.cpp:37:21:37:33 | call to getTaintedInt | test5.cpp:40:17:40:23 | tainted |
-| test5.cpp:37:21:37:33 | call to getTaintedInt | test5.cpp:40:27:40:33 | tainted |
-| test5.cpp:37:21:37:33 | call to getTaintedInt | test5.cpp:40:27:40:33 | tainted |
 | test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections |
 | test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections |
 | test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections |
@@ -52,20 +42,6 @@ nodes
 | test5.cpp:19:6:19:6 | y | semmle.label | y |
 | test5.cpp:19:6:19:6 | y | semmle.label | y |
 | test5.cpp:19:6:19:6 | y | semmle.label | y |
-| test5.cpp:27:16:27:28 | call to getTaintedInt | semmle.label | call to getTaintedInt |
-| test5.cpp:30:17:30:23 | tainted | semmle.label | tainted |
-| test5.cpp:30:17:30:23 | tainted | semmle.label | tainted |
-| test5.cpp:30:17:30:23 | tainted | semmle.label | tainted |
-| test5.cpp:30:27:30:33 | tainted | semmle.label | tainted |
-| test5.cpp:30:27:30:33 | tainted | semmle.label | tainted |
-| test5.cpp:30:27:30:33 | tainted | semmle.label | tainted |
-| test5.cpp:37:21:37:33 | call to getTaintedInt | semmle.label | call to getTaintedInt |
-| test5.cpp:40:17:40:23 | tainted | semmle.label | tainted |
-| test5.cpp:40:17:40:23 | tainted | semmle.label | tainted |
-| test5.cpp:40:17:40:23 | tainted | semmle.label | tainted |
-| test5.cpp:40:27:40:33 | tainted | semmle.label | tainted |
-| test5.cpp:40:27:40:33 | tainted | semmle.label | tainted |
-| test5.cpp:40:27:40:33 | tainted | semmle.label | tainted |
 | test.c:11:29:11:32 | argv | semmle.label | argv |
 | test.c:11:29:11:32 | argv | semmle.label | argv |
 | test.c:14:15:14:28 | maxConnections | semmle.label | maxConnections |
@@ -87,14 +63,6 @@ nodes
 | test5.cpp:17:6:17:18 | call to getTaintedInt | test5.cpp:9:7:9:9 | buf | test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | buf | test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | buf | test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:30:17:30:23 | tainted | test5.cpp:9:7:9:9 | buf | test5.cpp:30:17:30:23 | tainted | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:30:17:30:23 | tainted | test5.cpp:9:7:9:9 | buf | test5.cpp:30:17:30:23 | tainted | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:30:27:30:33 | tainted | test5.cpp:9:7:9:9 | buf | test5.cpp:30:27:30:33 | tainted | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:30:27:30:33 | tainted | test5.cpp:9:7:9:9 | buf | test5.cpp:30:27:30:33 | tainted | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:40:17:40:23 | tainted | test5.cpp:9:7:9:9 | buf | test5.cpp:40:17:40:23 | tainted | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:40:17:40:23 | tainted | test5.cpp:9:7:9:9 | buf | test5.cpp:40:17:40:23 | tainted | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:40:27:40:33 | tainted | test5.cpp:9:7:9:9 | buf | test5.cpp:40:27:40:33 | tainted | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:40:27:40:33 | tainted | test5.cpp:9:7:9:9 | buf | test5.cpp:40:27:40:33 | tainted | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test.c:14:15:14:28 | maxConnections | test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:11:29:11:32 | argv | User-provided value |
 | test.c:14:15:14:28 | maxConnections | test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:11:29:11:32 | argv | User-provided value |
 | test.c:44:7:44:10 | len2 | test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:41:17:41:20 | argv | User-provided value |

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ import semmle.code.cpp.controlflow.Guards`
`17`	`17`	`predicate guardedAbs(Operation e, Expr use) {`
`18`	`18`	`exists(FunctionCall fc \| fc.getTarget().getName() = ["abs", "labs", "llabs", "imaxabs"] \|`
`19`	`19`	`fc.getArgument(0).getAChild*() = use and`
`20`		`- exists(GuardCondition c \| c.ensuresLt(use, _, _, e.getBasicBlock(), true))`
	`20`	`+ exists(GuardCondition c \| c.ensuresLt(fc, _, _, e.getBasicBlock(), true))`
`21`	`21`	`)`
`22`	`22`	`}`
`23`	`23`