C++: Add linear expression logic.

geoffw0 · geoffw0 · commit 60e4faba4c24 · 2021-04-06T22:28:36.000+01:00
diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -14,6 +14,7 @@ import cpp
 import semmle.code.cpp.commons.Exclusions
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
 import semmle.code.cpp.controlflow.Guards
 
 /**
@@ -46,6 +47,22 @@ predicate exprIsSubLeftOrLess(SubExpr sub, Expr e) {
     exprIsSubLeftOrLess(sub, other) and
     isGuarded(sub, other, e) // left >= right
   )
+  or
+  exists(Expr other, float p, float q |
+    // linear access of `other`
+    exprIsSubLeftOrLess(sub, other) and
+    linearAccess(e, other, p, q) and // e = p * other + q
+    p <= 1 and
+    q <= 0
+  )
+  or
+  exists(Expr other, float p, float q |
+    // linear access of `e`
+    exprIsSubLeftOrLess(sub, other) and
+    linearAccess(other, e, p, q) and // other = p * e + q
+    p >= 1 and
+    q >= 0
+  )
 }
 
 from RelationalOperation ro, SubExpr sub
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
@@ -8,9 +8,7 @@
 | test.cpp:62:5:62:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:69:5:69:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:75:8:75:16 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:92:6:92:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:101:6:101:14 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:119:6:119:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:128:6:128:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:137:6:137:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:146:7:146:15 | ... > ... | Unsigned subtraction can never be negative. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
@@ -89,7 +89,7 @@ void test3() {
 	unsigned int a = getAnInt();
 	unsigned int b = a - 1;
 
-	if (a - b > 0) { // GOOD (as a >= b) [FALSE POSITIVE]
+	if (a - b > 0) { // GOOD (as a >= b)
 		// ...
 	}
 }
@@ -116,7 +116,7 @@ void test6() {
 	unsigned int b = getAnInt();
 	unsigned int a = b + 1;
 
-	if (a - b > 0) { // GOOD (as a >= b) [FALSE POSITIVE]
+	if (a - b > 0) { // GOOD (as a >= b)
 		// ...
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -89,7 +89,7 @@ void test3() {`
`89`	`89`	`unsigned int a = getAnInt();`
`90`	`90`	`unsigned int b = a - 1;`
`91`	`91`
`92`		`- if (a - b > 0) { // GOOD (as a >= b) [FALSE POSITIVE]`
	`92`	`+ if (a - b > 0) { // GOOD (as a >= b)`
`93`	`93`	`// ...`
`94`	`94`	`}`
`95`	`95`	`}`
`@@ -116,7 +116,7 @@ void test6() {`
`116`	`116`	`unsigned int b = getAnInt();`
`117`	`117`	`unsigned int a = b + 1;`
`118`	`118`
`119`		`- if (a - b > 0) { // GOOD (as a >= b) [FALSE POSITIVE]`
	`119`	`+ if (a - b > 0) { // GOOD (as a >= b)`
`120`	`120`	`// ...`
`121`	`121`	`}`
`122`	`122`	`}`