Merge pull request github#5877 from MathiasVP/detect-more-abs-in-overflow-library

C++: Detect more uses of `abs`

Author: geoffw0

cpp/change-notes/2021-03-11-overflow-abs.md

@@ -0,0 +1,2 @@
+lgtm
+* The `cpp/tainted-arithmetic`, `cpp/arithmetic-with-extreme-values`, and `cpp/uncontrolled-arithmetic` queries now recognize more functions as returning the absolute value of their input. As a result, they produce fewer false positives.

cpp/ql/src/semmle/code/cpp/security/Overflow.qll

@@ -12,7 +12,7 @@ import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
  * Holds if the value of `use` is guarded using `abs`.
  */
 predicate guardedAbs(Operation e, Expr use) {
-  exists(FunctionCall fc | fc.getTarget().getName() = "abs" |
+  exists(FunctionCall fc | fc.getTarget().getName() = ["abs", "labs", "llabs", "imaxabs"] |
     fc.getArgument(0).getAChild*() = use and
     guardedLesser(e, fc)
   )

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp

@@ -18,3 +18,25 @@ void useTaintedInt()
 	y = getTaintedInt();
 	y = y * 1024; // BAD: arithmetic on a tainted value
 }
+
+typedef long long int intmax_t;
+
+intmax_t imaxabs(intmax_t j);
+
+void useTaintedIntWithGuard() {
+	int tainted = getTaintedInt();
+
+	if(imaxabs(tainted) <= 100) {
+		int product = tainted * tainted; // GOOD: can't underflow/overflow
+	}
+}
+
+#define INTMAX_MIN (-0x7fffffffffffffff - 1)
+
+void useTaintedIntWithGuardIntMaxMin() {
+	intmax_t tainted = getTaintedInt();
+
+	if(imaxabs(tainted) <= INTMAX_MIN) {
+		int product = tainted * tainted; // BAD: imaxabs(INTMAX_MIN) == INTMAX_MIN [NOT DETECTED]
+	}
+}