C++: Add testcases demonstrating FPs from real code.

MathiasVP · MathiasVP · commit a6f1f8d3b6f5 · 2021-07-12T17:39:12.000+02:00
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
@@ -7,6 +7,8 @@ edges
 | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r |
 | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r |
 | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
+| test.c:115:12:115:15 | call to rand | test.c:116:3:116:4 | r1 |
+| test.c:118:13:118:16 | call to rand | test.c:119:3:119:4 | r2 |
 | test.cpp:8:9:8:12 | Store | test.cpp:24:11:24:18 | call to get_rand |
 | test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
 | test.cpp:13:2:13:15 | Chi [[]] | test.cpp:30:13:30:14 | get_rand2 output argument [[]] |
@@ -33,6 +35,10 @@ nodes
 | test.c:83:9:83:9 | r | semmle.label | r |
 | test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
 | test.c:100:5:100:5 | r | semmle.label | r |
+| test.c:115:12:115:15 | call to rand | semmle.label | call to rand |
+| test.c:116:3:116:4 | r1 | semmle.label | r1 |
+| test.c:118:13:118:16 | call to rand | semmle.label | call to rand |
+| test.c:119:3:119:4 | r2 | semmle.label | r2 |
 | test.cpp:8:9:8:12 | Store | semmle.label | Store |
 | test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
 | test.cpp:13:2:13:15 | Chi [[]] | semmle.label | Chi [[]] |
@@ -56,6 +62,8 @@ nodes
 | test.c:83:9:83:9 | r | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:81:14:81:17 | call to rand | Uncontrolled value |
 | test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:81:23:81:26 | call to rand | Uncontrolled value |
 | test.c:100:5:100:5 | r | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
+| test.c:116:3:116:4 | r1 | test.c:115:12:115:15 | call to rand | test.c:116:3:116:4 | r1 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:115:12:115:15 | call to rand | Uncontrolled value |
+| test.c:119:3:119:4 | r2 | test.c:118:13:118:16 | call to rand | test.c:119:3:119:4 | r2 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:118:13:118:16 | call to rand | Uncontrolled value |
 | test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
 | test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | Uncontrolled value |
 | test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | Uncontrolled value |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c
@@ -109,4 +109,13 @@ void randomTester() {
 
 void add_100(int r) {
   r += 100; // GOOD
-}
+}
+
+void randomTester2(int bound, int min, int max) {
+  int r1 = rand() % bound;
+  r1 += 100; // GOOD [FALSE POSITIVE] (`bound` may possibly be MAX_INT in which case this could
+             //                        still overflow, but it's most likely fine)
+
+  int r2 = (rand() % (max - min + 1)) + min;
+  r2 += 100; // GOOD [FALSE POSITIVE] (This is a common way to clamp the random value between [min, max])
+}
