Merge pull request github#5859 from MathiasVP/fix-fp-in-comparison-with-wider-type

MathiasVP · web-flow · commit 5016c6436abf · 2021-05-10T17:58:31.000+02:00
C++: Fix false positive in `cpp/comparison-with-wider-type`
diff --git a/cpp/change-notes/2021-10-05-comparison-with-wider-type.md b/cpp/change-notes/2021-10-05-comparison-with-wider-type.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The 'Comparison with wider type' (cpp/comparison-with-wider-type) query has been improved to produce fewer false positives.
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
@@ -49,7 +49,9 @@ where
   small = rel.getLesserOperand() and
   large = rel.getGreaterOperand() and
   rel = l.getCondition().getAChild*() and
-  upperBound(large).log2() > getComparisonSize(small) * 8 and
+  forall(Expr conv | conv = large.getConversion*() |
+    upperBound(conv).log2() > getComparisonSize(small) * 8
+  ) and
   // Ignore cases where the smaller type is int or larger
   // These are still bugs, but you should need a very large string or array to
   // trigger them. We will want to disable this for some applications, but it's
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp
@@ -0,0 +1,7 @@
+void test_issue_5850(unsigned char small, unsigned int large1) {
+	for(; small < static_cast<unsigned char>(large1 - 1); small++) { } // GOOD
+}
+
+void test_widening(unsigned char small, char large) {
+	for(; small < static_cast<unsigned int>(static_cast<short>(large) - 1); small++) { } // GOOD
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	`+* The 'Comparison with wider type' (cpp/comparison-with-wider-type) query has been improved to produce fewer false positives.`