C++: Only recognize signed integers as sinks in 'cpp/uncontrolled-arithmetic' in the case of overflow.

MathiasVP · MathiasVP · commit 95fa93b27400 · 2021-12-20T14:02:44.000+01:00
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -82,8 +82,11 @@ predicate missingGuard(VariableAccess va, string effect) {
     op.getUnspecifiedType().(IntegralType).isUnsigned() and
     not op instanceof MulExpr
     or
-    // overflow
-    missingGuardAgainstOverflow(op, va) and effect = "overflow"
+    // overflow - only report signed integer overflow since unsigned overflow
+    // is well-defined.
+    op.getUnspecifiedType().(IntegralType).isSigned() and
+    missingGuardAgainstOverflow(op, va) and
+    effect = "overflow"
   )
 }
 

Original file line number	Diff line number	Diff line change
`@@ -82,8 +82,11 @@ predicate missingGuard(VariableAccess va, string effect) {`
`82`	`82`	`op.getUnspecifiedType().(IntegralType).isUnsigned() and`
`83`	`83`	`not op instanceof MulExpr`
`84`	`84`	`or`
`85`		`- // overflow`
`86`		`- missingGuardAgainstOverflow(op, va) and effect = "overflow"`
	`85`	`+ // overflow - only report signed integer overflow since unsigned overflow`
	`86`	`+ // is well-defined.`
	`87`	`+ op.getUnspecifiedType().(IntegralType).isSigned() and`
	`88`	`+ missingGuardAgainstOverflow(op, va) and`
	`89`	`+ effect = "overflow"`
`87`	`90`	`)`
`88`	`91`	`}`
`89`	`92`