Merge pull request github#6495 from andersfugmann/more_buffer_overrun_tests

MathiasVP · web-flow · commit 88372df12553 · 2021-08-17T16:18:36.000+02:00
More buffer overrun tests
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/test_buffer_overrun.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/test_buffer_overrun.cpp
@@ -0,0 +1,39 @@
+typedef unsigned char uint8_t;
+#define SIZE (32)
+
+void test_buffer_overrun_in_for_loop()
+{
+    uint8_t data[SIZE] = {0};
+    for (int x = 0; x < SIZE * 2; x++) {
+        data[x] = 0x41; // BAD [NOT DETECTED]
+    }
+}
+
+void test_buffer_overrun_in_while_loop_using_pointer_arithmetic()
+{
+    uint8_t data[SIZE] = {0};
+    int offset = 0;
+    while (offset < SIZE * 2) {
+        *(data + offset) = 0x41; // BAD [NOT DETECTED]
+        offset++;
+    }
+}
+
+void test_buffer_overrun_in_while_loop_using_array_indexing()
+{
+    uint8_t data[SIZE] = {0};
+    int offset = 0;
+    while (offset < SIZE * 2) {
+        data[offset] = 0x41; // BAD [NOT DETECTED]
+        offset++;
+    }
+}
+
+int main(int argc, char *argv[])
+{
+    test_buffer_overrun_in_for_loop();
+    test_buffer_overrun_in_while_loop_using_pointer_arithmetic();
+    test_buffer_overrun_in_while_loop_using_array_indexing();
+
+    return 0;
+}
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
@@ -114,7 +114,7 @@ void test6(bool cond)
 	
 	c = 100;
 	buffer[c] = 'x'; // BAD: over-write [NOT DETECTED]
-	ch = buffer[c]; // BAD: under-read [NOT DETECTED]
+	ch = buffer[c]; // BAD: over-read [NOT DETECTED]
 
 	d = 0;
 	d = 1000;
