also get the variable for array accesses

Author: erik-krogh

java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql

@@ -27,11 +27,17 @@ class DangerousAssignOpExpr extends AssignOp {
 
 predicate problematicCasting(Type t, Expr e) { e.getType().(NumType).widerThan(t) }
 
+Variable getVariable(DangerousAssignOpExpr a) {
+  result = a.getDest().(VarAccess).getVariable()
+  or
+  result = a.getDest().(ArrayAccess).getArray().(VarAccess).getVariable()
+}
+
 from DangerousAssignOpExpr a, Expr e, Variable v
 where
   e = a.getSource() and
   problematicCasting(a.getDest().getType(), e) and
-  v = a.getDest().(VarAccess).getVariable()
+  v = getVariable(a)
 select a,
   "Implicit cast of source $@ to narrower destination type " + a.getDest().getType().getName() + ".",
   v, "type " + e.getType().getName()

java/ql/test/query-tests/security/CWE-190/semmle/tests/InformationLoss.expected

@@ -1,2 +1,3 @@
 | Test.java:68:5:68:25 | ...+=... | Implicit cast of source $@ to narrower destination type int. | Test.java:64:4:64:13 | int i | type long |
 | Test.java:87:4:87:9 | ...+=... | Implicit cast of source $@ to narrower destination type int. | Test.java:81:4:81:13 | int i | type long |
+| Test.java:289:5:289:30 | ...+=... | Implicit cast of source $@ to narrower destination type int. | Test.java:285:4:285:27 | int[] arr | type long |

java/ql/test/query-tests/security/CWE-190/semmle/tests/Test.java

@@ -279,6 +279,16 @@ public static void main(String[] args) {
 			// subsequently cast to narrower type int
 			int widenedThenNarrowed = (int) (data2 + 10L);
 		}
+
+    // InformationLoss
+		{
+			int[] arr = new int[10];
+			while (arr[2] < 1000000) {
+				// BAD: getLargeNumber is implicitly narrowed to an integer
+				// which will result in overflows if it is large
+				arr[2] += getLargeNumber();
+			}
+		}
 	}
 
 	public static long getLargeNumber() {