C++: test for guard-by-return in Overflow.qll

Author: rdmarsh2

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected

@@ -11,6 +11,8 @@ edges
 | test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r |
 | test.c:155:22:155:25 | call to rand | test.c:157:9:157:9 | r |
 | test.c:155:22:155:27 | (unsigned int)... | test.c:157:9:157:9 | r |
+| test.c:162:19:162:38 | (unsigned int)... | test.c:166:16:166:19 | data |
+| test.c:162:33:162:36 | call to rand | test.c:166:16:166:19 | data |
 | test.cpp:6:5:6:12 | ReturnValue | test.cpp:24:11:24:18 | call to get_rand |
 | test.cpp:8:9:8:12 | call to rand | test.cpp:6:5:6:12 | ReturnValue |
 | test.cpp:13:2:13:6 | * ... [post update] | test.cpp:30:13:30:14 | & ... [post update] |
@@ -57,6 +59,9 @@ nodes
 | test.c:155:22:155:25 | call to rand | semmle.label | call to rand |
 | test.c:155:22:155:27 | (unsigned int)... | semmle.label | (unsigned int)... |
 | test.c:157:9:157:9 | r | semmle.label | r |
+| test.c:162:19:162:38 | (unsigned int)... | semmle.label | (unsigned int)... |
+| test.c:162:33:162:36 | call to rand | semmle.label | call to rand |
+| test.c:166:16:166:19 | data | semmle.label | data |
 | test.cpp:6:5:6:12 | ReturnValue | semmle.label | ReturnValue |
 | test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
 | test.cpp:13:2:13:6 | * ... [post update] | semmle.label | * ... [post update] |
@@ -104,6 +109,8 @@ subpaths
 | test.c:139:10:139:10 | r | test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:137:13:137:16 | call to rand | Uncontrolled value |
 | test.c:157:9:157:9 | r | test.c:155:22:155:25 | call to rand | test.c:157:9:157:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:155:22:155:25 | call to rand | Uncontrolled value |
 | test.c:157:9:157:9 | r | test.c:155:22:155:27 | (unsigned int)... | test.c:157:9:157:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:155:22:155:25 | call to rand | Uncontrolled value |
+| test.c:166:16:166:19 | data | test.c:162:19:162:38 | (unsigned int)... | test.c:166:16:166:19 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:162:33:162:36 | call to rand | Uncontrolled value |
+| test.c:166:16:166:19 | data | test.c:162:33:162:36 | call to rand | test.c:166:16:166:19 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:162:33:162:36 | call to rand | Uncontrolled value |
 | test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
 | test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | Uncontrolled value |
 | test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | Uncontrolled value |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.c

@@ -157,3 +157,11 @@ void moreTests() {
     r = r - 100; // BAD
   }
 }
+
+void guarded_test(unsigned p) {
+  unsigned data = (unsigned int)rand();
+  if (p >= data) {
+    return;
+  }
+  unsigned z = data - p; // GOOD [FALSE POSITIVE]
+}