C++: Accept Microsoft/non-Microsoft format specifiers on the opposite platform.

Author: geoffw0

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql

@@ -32,6 +32,24 @@ private predicate formattingFunctionCallExpectedType(
   )
 }
 
+/**
+ * Holds if the argument corresponding to the `pos` conversion specifier
+ * of `ffc` could alternatively have type `expected`, for example on a different
+ * platform.
+ */
+pragma[noopt]
+private predicate formattingFunctionCallAlternateType(
+  FormattingFunctionCall ffc, int pos, Type expected
+) {
+  exists(FormattingFunction f, int i, FormatLiteral fl |
+    ffc instanceof FormattingFunctionCall and
+    ffc.getTarget() = f and
+    f.getFormatParameterIndex() = i and
+    ffc.getArgument(i) = fl and
+    fl.getConversionTypeAlternate(pos) = expected
+  )
+}
+
 /**
  * Holds if the argument corresponding to the `pos` conversion specifier
  * of `ffc` is expected to have type `expected` and the corresponding
@@ -73,6 +91,7 @@ class ExpectedType extends Type {
     exists(Type t |
       (
         formatArgType(_, _, t, _, _) or
+        formattingFunctionCallAlternateType(_, _, t) or
         formatOtherArgType(_, _, t, _, _)
       ) and
       this = t.getUnspecifiedType()
@@ -91,7 +110,11 @@ class ExpectedType extends Type {
  */
 predicate trivialConversion(ExpectedType expected, Type actual) {
   exists(Type exp, Type act |
-    formatArgType(_, _, exp, _, act) and
+    (
+      formatArgType(_, _, exp, _, _) or
+      formattingFunctionCallAlternateType(_, _, exp)
+    ) and
+    formatArgType(_, _, _, _, act) and
     expected = exp.getUnspecifiedType() and
     actual = act.getUnspecifiedType()
   ) and
@@ -148,7 +171,10 @@ where
   (
     formatArgType(ffc, n, expected, arg, actual) and
     not exists(Type anyExpected |
-      formatArgType(ffc, n, anyExpected, arg, actual) and
+      (
+        formatArgType(ffc, n, anyExpected, arg, actual) or
+        formattingFunctionCallAlternateType(ffc, n, anyExpected)
+      ) and
       trivialConversion(anyExpected.getUnspecifiedType(), actual.getUnspecifiedType())
     )
     or

cpp/ql/src/semmle/code/cpp/commons/Printf.qll

@@ -869,6 +869,33 @@ class FormatLiteral extends Literal {
     )
   }
 
+  /**
+   * Gets an alternate argument type that would be required by the nth
+   * conversion specifier on a Microsoft or non-Microsoft platform, opposite
+   * to that of the snapshot. This may be useful for answering 'what might
+   * happen' questions.
+   */
+  Type getConversionTypeAlternate(int n) {
+    exists(string len, string conv |
+      this.parseConvSpec(n, _, _, _, _, _, len, conv) and
+      (len != "l" and len != "w" and len != "h") and
+      getUse().getTarget().(FormattingFunction).getFormatCharType().getSize() > 1 and // wide function
+      (
+        conv = "c" and
+        result = getNonDefaultCharType()
+        or
+        conv = "C" and
+        result = getDefaultCharType()
+        or
+        conv = "s" and
+        result.(PointerType).getBaseType() = getNonDefaultCharType()
+        or
+        conv = "S" and
+        result.(PointerType).getBaseType() = getDefaultCharType()
+      )
+    )
+  }
+
   /**
    * Holds if the nth conversion specifier of this format string (if `mode = 2`), it's
    * minimum field width (if `mode = 0`) or it's precision (if `mode = 1`) requires a

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/WrongTypeFormatArguments.expected

@@ -3,12 +3,8 @@
 | tests.cpp:21:15:21:21 | Hello | This argument should be of type 'char16_t *' but is of type 'char *' |
 | tests.cpp:21:15:21:21 | Hello | This argument should be of type 'wchar_t *' but is of type 'char *' |
 | tests.cpp:26:17:26:24 | Hello | This argument should be of type 'char *' but is of type 'char16_t *' |
-| tests.cpp:27:17:27:24 | Hello | This argument should be of type 'char *' but is of type 'wchar_t *' |
-| tests.cpp:29:17:29:23 | Hello | This argument should be of type 'wchar_t *' but is of type 'char *' |
 | tests.cpp:30:17:30:24 | Hello | This argument should be of type 'wchar_t *' but is of type 'char16_t *' |
-| tests.cpp:34:36:34:43 | Hello | This argument should be of type 'char *' but is of type 'char16_t *' |
 | tests.cpp:35:36:35:43 | Hello | This argument should be of type 'char *' but is of type 'wchar_t *' |
-| tests.cpp:37:36:37:42 | Hello | This argument should be of type 'char16_t *' but is of type 'char *' |
 | tests.cpp:39:36:39:43 | Hello | This argument should be of type 'char16_t *' but is of type 'wchar_t *' |
 | tests.cpp:42:37:42:44 | Hello | This argument should be of type 'char *' but is of type 'char16_t *' |
 | tests.cpp:43:37:43:44 | Hello | This argument should be of type 'char *' but is of type 'wchar_t *' |

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/tests.cpp

@@ -24,17 +24,17 @@ void tests() {
 
 	wprintf(L"%s", "Hello"); // GOOD
 	wprintf(L"%s", u"Hello"); // BAD: expecting char
-	wprintf(L"%s", L"Hello"); // BAD: expecting char
+	wprintf(L"%s", L"Hello"); // BAD: expecting char [NOT DETECTED; correct on Microsoft platforms]
 
-	wprintf(L"%S", "Hello"); // BAD: expecting wchar_t
+	wprintf(L"%S", "Hello"); // BAD: expecting wchar_t [NOT DETECTED; correct on Microsoft platforms]
 	wprintf(L"%S", u"Hello"); // BAD: expecting wchar_t
 	wprintf(L"%S", L"Hello"); // GOOD
 
 	swprintf(buffer, BUF_SIZE, u"%s", "Hello"); // GOOD
-	swprintf(buffer, BUF_SIZE, u"%s", u"Hello"); // BAD: expecting char
+	swprintf(buffer, BUF_SIZE, u"%s", u"Hello"); // BAD: expecting char [NOT DETECTED; correct on Microsoft platforms]
 	swprintf(buffer, BUF_SIZE, u"%s", L"Hello"); // BAD: expecting char
 
-	swprintf(buffer, BUF_SIZE, u"%S", "Hello"); // BAD: expecting char16_t
+	swprintf(buffer, BUF_SIZE, u"%S", "Hello"); // BAD: expecting char16_t [NOT DETECTED; correct on Microsoft platforms]
 	swprintf(buffer, BUF_SIZE, u"%S", u"Hello"); // GOOD
 	swprintf(buffer, BUF_SIZE, u"%S", L"Hello"); // BAD: expecting char16_t
 

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/WrongTypeFormatArguments.expected

@@ -1,3 +1,2 @@
-| printf.cpp:31:31:31:37 | test | This argument should be of type 'char *' but is of type 'char16_t *' |
 | printf.cpp:43:29:43:35 | test | This argument should be of type 'char *' but is of type 'char16_t *' |
 | printf.cpp:50:29:50:35 | test | This argument should be of type 'char16_t *' but is of type 'wchar_t *' |

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/printf.cpp

@@ -28,7 +28,7 @@ int sprintf(char *dest, char *format, ...);
 void test1() {
 	WCHAR string[20];
 
-	swprintf(string, u"test %s", u"test"); // BAD: `char16_t` string parameter read as `char` string
+	swprintf(string, u"test %s", u"test"); // BAD: `char16_t` string parameter read as `char` string [NOT DETECTED; correct on Microsoft platforms]
 }
 
 void test2() {

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/WrongTypeFormatArguments.expected

@@ -11,8 +11,6 @@
 | printf1.h:45:18:45:20 | ull | This argument should be of type 'unsigned int' but is of type 'unsigned long long' |
 | printf1.h:46:18:46:20 | ull | This argument should be of type 'unsigned int' but is of type 'unsigned long long' |
 | printf1.h:130:18:130:18 | 0 | This argument should be of type 'void *' but is of type 'int' |
-| printf1.h:154:18:154:19 | wc | This argument should be of type 'char *' but is of type 'wchar_t *' |
-| printf1.h:155:18:155:18 | c | This argument should be of type 'wchar_t *' but is of type 'char *' |
 | printf1.h:168:19:168:19 | i | This argument should be of type 'long long' but is of type 'int' |
 | printf1.h:169:19:169:20 | ui | This argument should be of type 'unsigned long long' but is of type 'unsigned int' |
 | real_world.h:61:21:61:22 | & ... | This argument should be of type 'int *' but is of type 'short *' |

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/printf1.h

@@ -151,8 +151,8 @@ void test_chars(char c, wchar_t wc, wint_t wt)
 void test_ws(char *c, wchar_t *wc)
 {
   wprintf(L"%s", c); // GOOD
-  wprintf(L"%s", wc); // BAD
-  wprintf(L"%S", c); // BAD
+  wprintf(L"%s", wc); // BAD [NOT DETECTED; correct on Microsoft platforms]
+  wprintf(L"%S", c); // BAD [NOT DETECTED; correct on Microsoft platforms]
   wprintf(L"%S", wc); // GOOD
 }
 

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/WrongTypeFormatArguments.expected

@@ -19,8 +19,6 @@
 | printf1.h:116:16:116:24 | myString3 | This argument should be of type '__wchar_t *' but is of type 'int *' |
 | printf1.h:117:16:117:24 | myString4 | This argument should be of type '__wchar_t *' but is of type 'int *' |
 | printf1.h:130:18:130:18 | 0 | This argument should be of type 'void *' but is of type 'int' |
-| printf1.h:153:18:153:18 | c | This argument should be of type '__wchar_t *' but is of type 'char *' |
-| printf1.h:156:18:156:19 | wc | This argument should be of type 'char *' but is of type '__wchar_t *' |
 | printf1.h:181:21:181:22 | ll | This argument should be of type 'int' but is of type 'long long' |
 | printf1.h:182:21:182:23 | ull | This argument should be of type 'unsigned int' but is of type 'unsigned long long' |
 | printf1.h:185:21:185:23 | i64 | This argument should be of type 'int' but is of type 'long long' |

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/printf1.h

@@ -150,10 +150,10 @@ void test_chars(char c, wchar_t wc, wint_t wt)
 
 void test_ws(char *c, wchar_t *wc, wint_t *wt)
 {
-  wprintf(L"%s", c); // BAD
+  wprintf(L"%s", c); // BAD [NOT DETECTED; correct on non-Microsoft platforms]
   wprintf(L"%s", wc); // GOOD
   wprintf(L"%S", c); // GOOD
-  wprintf(L"%S", wc); // BAD
+  wprintf(L"%S", wc); // BAD [NOT DETECTED; correct on non-Microsoft platforms]
 }
 
 void fun4()