C++: Add test cases with false positives due to missing range analysis in 'cpp/overrunning-write'.

MathiasVP · MathiasVP · commit 693baae1ba60 · 2021-11-04T21:13:28.000Z
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.expected
@@ -3,3 +3,15 @@
 | tests.cpp:272:2:272:8 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
 | tests.cpp:273:2:273:8 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
 | tests.cpp:308:3:308:9 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
+| tests.cpp:315:2:315:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
+| tests.cpp:316:2:316:8 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
+| tests.cpp:318:3:318:9 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
+| tests.cpp:321:2:321:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
+| tests.cpp:324:3:324:9 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
+| tests.cpp:327:2:327:8 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
+| tests.cpp:329:3:329:9 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
+| tests.cpp:332:4:332:10 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
+| tests.cpp:336:2:336:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
+| tests.cpp:337:2:337:8 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
+| tests.cpp:338:2:338:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
+| tests.cpp:339:2:339:8 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp
@@ -307,4 +307,34 @@ namespace custom_sprintf_impl {
 		char buffer8[8];
 		sprintf(buffer8, "12345678"); // BAD: potential buffer overflow
 	}
+}
+
+void test6(unsigned unsigned_value, int value) {
+	char buffer[2];
+	
+	sprintf(buffer, "%u", unsigned_value); // BAD: buffer overflow
+	sprintf(buffer, "%d", unsigned_value); // BAD: buffer overflow
+	if (unsigned_value < 10) {
+		sprintf(buffer, "%u", unsigned_value); // GOOD [FALSE POSITIVE]
+	}
+
+	sprintf(buffer, "%u", -10); // BAD: buffer overflow
+
+	if(unsigned_value == (unsigned)-10) {
+		sprintf(buffer, "%u", unsigned_value); // BAD: buffer overflow
+	}
+
+	sprintf(buffer, "%d", value); // BAD: buffer overflow
+	if (value < 10) {
+		sprintf(buffer, "%d", value); // BAD: buffer overflow
+
+		if(value > 0) {
+			sprintf(buffer, "%d", value); // GOOD [FALSE POSITIVE]
+		}
+	}
+
+	sprintf(buffer, "%u", 0); // GOOD [FALSE POSITIVE]
+	sprintf(buffer, "%d", 0); // GOOD [FALSE POSITIVE]
+	sprintf(buffer, "%u", 5); // GOOD [FALSE POSITIVE]
+	sprintf(buffer, "%d", 5); // GOOD [FALSE POSITIVE]
 }
