C++: Properly handle conversions in convertedExprMayThrow. This recursive implementation idea is stolen from convertedExprMightOverflow in SimpleRangeAnalysis.

MathiasVP · MathiasVP · commit 90e8368258ea · 2021-05-07T12:31:43.000+02:00
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -107,7 +107,11 @@ predicate stmtMayThrow(Stmt stmt) {
 }
 
 /** Holds if the evaluation of `e` (including conversions) may throw an exception. */
-predicate convertedExprMayThrow(Expr e) { exprMayThrow(e.getFullyConverted()) }
+predicate convertedExprMayThrow(Expr e) {
+  exprMayThrow(e)
+  or
+  convertedExprMayThrow(e.getConversion())
+}
 
 /** Holds if the evaluation of `e` may throw an exception. */
 predicate exprMayThrow(Expr e) {
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
@@ -14,6 +14,4 @@
 | test.cpp:93:15:93:41 | new[] | This allocation cannot throw. $@ is unnecessary. | test.cpp:97:36:98:3 | { ... } | This catch block |
 | test.cpp:96:10:96:36 | new[] | This allocation cannot throw. $@ is unnecessary. | test.cpp:97:36:98:3 | { ... } | This catch block |
 | test.cpp:151:9:151:24 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:152:15:152:18 | { ... } | This catch block |
-| test.cpp:199:15:199:35 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:201:16:201:19 | { ... } | This catch block |
 | test.cpp:212:14:212:34 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:213:34:213:36 | { ... } | This catch block |
-| test.cpp:225:23:225:29 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:226:34:226:36 | { ... } | This catch block |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
@@ -196,7 +196,7 @@ void good_new_with_throwing_call() {
 
 void bad_new_with_nonthrowing_call() {
   try {
-    int* p1 = new(std::nothrow) int; // BAD
+    int* p1 = new(std::nothrow) int; // BAD [NOT DETECTED]
     calls_non_throwing(p1);
   } catch(...) {  }
 
@@ -222,6 +222,6 @@ void good_new_catch_exception_in_assignment() {
 
 void good_new_catch_exception_in_conversion() {
   try {
-    long* p = (long*) new int; // GOOD [FALSE POSITIVE]
+    long* p = (long*) new int; // GOOD
   } catch(const std::bad_alloc&) { }
 }
