C++: Additional test cases.

Author: geoffw0

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected

@@ -29,6 +29,9 @@
 | tests.cpp:363:2:363:16 | access to array | This array indexing operation accesses byte offset 219 but the $@ is only 200 bytes. | tests.cpp:344:11:344:21 | structArray | array |
 | tests.cpp:364:25:364:39 | access to array | This array indexing operation accesses byte offset 219 but the $@ is only 200 bytes. | tests.cpp:344:11:344:21 | structArray | array |
 | tests.cpp:367:23:367:34 | access to array | This array indexing operation accesses byte offset 43 but the $@ is only 40 bytes. | tests.cpp:343:6:343:13 | intArray | array |
+| tests.cpp:369:2:369:13 | access to array | This array indexing operation accesses a negative index -2 on the $@. | tests.cpp:342:7:342:15 | charArray | array |
+| tests.cpp:370:2:370:13 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:342:7:342:15 | charArray | array |
+| tests.cpp:374:2:374:13 | access to array | This array indexing operation accesses byte offset 10 but the $@ is only 10 bytes. | tests.cpp:342:7:342:15 | charArray | array |
 | tests.cpp:394:3:394:13 | access to array | This array indexing operation accesses byte offset 101 but the $@ is only 100 bytes. | tests.cpp:389:47:389:52 | call to malloc | array |
 | tests.cpp:397:3:397:13 | access to array | This array indexing operation accesses byte offset 101 but the $@ is only 101 bytes. | tests.cpp:390:47:390:52 | call to malloc | array |
 | tests.cpp:467:3:467:24 | access to array | This array indexing operation accesses a negative index -3 on the $@. | tests.cpp:465:7:465:14 | intArray | array |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp

@@ -337,13 +337,13 @@ void test12()
 	}
 }
 
-void test13()
+void test13(char *argArray)
 {
 	char charArray[10];
 	int intArray[10];
 	myStruct structArray[10];
-
-
+	char *ptrArray = charArray;
+	char *ptrArrayOffset = charArray + 1;
 
 	charArray[-1] = 1; // BAD: underrun write
 	charArray[0] = 1; // GOOD
@@ -366,24 +366,24 @@ void test13()
 	charArray[9] = (char)intArray[9]; // GOOD
 	charArray[9] = (char)intArray[10]; // BAD: overrun read
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+	ptrArray[-2] = 1; // BAD: underrun write
+	ptrArray[-1] = 1; // BAD: underrun write
+	ptrArray[0] = 1; // GOOD
+	ptrArray[8] = 1; // GOOD
+	ptrArray[9] = 1; // GOOD
+	ptrArray[10] = 1; // BAD: overrun write
+
+	ptrArrayOffset[-2] = 1; // BAD: underrun write [NOT DETECTED]
+	ptrArrayOffset[-1] = 1; // GOOD (there is room for this)
+	ptrArrayOffset[0] = 1; // GOOD
+	ptrArrayOffset[8] = 1; // GOOD
+	ptrArrayOffset[9] = 1; // BAD: overrun write [NOT DETECTED]
+	ptrArrayOffset[10] = 1; // BAD: overrun write [NOT DETECTED]
+
+	argArray[-1] = 1; // BAD: underrun write [NOT DETECTED]
+	argArray[0] = 1; // GOOD
+	argArray[1] = 1; // GOOD (we can't tell the length of this array)
+	argArray[999] = 1; // GOOD (we can't tell the length of this array)
 
 	{
 		unsigned short *buffer1 = (unsigned short *)malloc(sizeof(short) * 50);