C++: Add getSizeExpr and getSizeMult predicates to BufferAccess

Author: Gulshan Singh

cpp/ql/lib/semmle/code/cpp/security/BufferAccess.qll

@@ -29,7 +29,23 @@ abstract class BufferAccess extends Expr {
    */
   abstract Expr getBuffer(string bufferDesc, int accessType);
 
-  abstract int getSize();
+  /**
+   * Gets the expression that represents the size of the buffer access. The
+   * actual size is typically the value of this expression multiplied by the
+   * result of `getSizeMult()`, in bytes.
+   */
+  Expr getSizeExpr() { none() }
+
+  /**
+   * Gets a constant multiplier for the buffer access size given by
+   * `getSizeExpr`, in bytes.
+   */
+  int getSizeMult() { none() }
+
+  /**
+   * Gets the buffer access size in bytes.
+   */
+  int getSize() { result = this.getSizeExpr().getValue().toInt() * this.getSizeMult() }
 }
 
 /**
@@ -63,10 +79,10 @@ class MemcpyBA extends BufferAccess {
     accessType = 1
   }
 
-  override int getSize() {
-    result =
-      this.(FunctionCall).getArgument(2).getValue().toInt() *
-        getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
+  override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(2) }
+
+  override int getSizeMult() {
+    result = getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
   }
 }
 
@@ -89,10 +105,10 @@ class BCopyBA extends BufferAccess {
     accessType = 1
   }
 
-  override int getSize() {
-    result =
-      this.(FunctionCall).getArgument(2).getValue().toInt() *
-        getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
+  override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(2) }
+
+  override int getSizeMult() {
+    result = getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
   }
 }
 
@@ -115,10 +131,10 @@ class StrncpyBA extends BufferAccess {
     accessType = 2
   }
 
-  override int getSize() {
-    result =
-      this.(FunctionCall).getArgument(2).getValue().toInt() *
-        getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
+  override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(2) }
+
+  override int getSizeMult() {
+    result = getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
   }
 }
 
@@ -141,10 +157,10 @@ class MemccpyBA extends BufferAccess {
     accessType = 2
   }
 
-  override int getSize() {
-    result =
-      this.(FunctionCall).getArgument(3).getValue().toInt() *
-        getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
+  override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(3) }
+
+  override int getSizeMult() {
+    result = getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
   }
 }
 
@@ -172,10 +188,10 @@ class MemcmpBA extends BufferAccess {
     accessType = 2
   }
 
-  override int getSize() {
-    result =
-      this.(FunctionCall).getArgument(2).getValue().toInt() *
-        getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
+  override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(2) }
+
+  override int getSizeMult() {
+    result = getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
   }
 }
 
@@ -199,10 +215,10 @@ class SwabBA extends BufferAccess {
     accessType = 1
   }
 
-  override int getSize() {
-    result =
-      this.(FunctionCall).getArgument(2).getValue().toInt() *
-        getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
+  override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(2) }
+
+  override int getSizeMult() {
+    result = getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
   }
 }
 
@@ -222,10 +238,10 @@ class MemsetBA extends BufferAccess {
     accessType = 1
   }
 
-  override int getSize() {
-    result =
-      this.(FunctionCall).getArgument(2).getValue().toInt() *
-        getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
+  override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(2) }
+
+  override int getSizeMult() {
+    result = getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
   }
 }
 
@@ -244,7 +260,9 @@ class ZeroMemoryBA extends BufferAccess {
     accessType = 1
   }
 
-  override int getSize() { result = this.(FunctionCall).getArgument(1).getValue().toInt() }
+  override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(1) }
+
+  override int getSizeMult() { result = 1 }
 }
 
 /**
@@ -263,10 +281,10 @@ class MemchrBA extends BufferAccess {
     accessType = 2
   }
 
-  override int getSize() {
-    result =
-      this.(FunctionCall).getArgument(2).getValue().toInt() *
-        getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
+  override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(2) }
+
+  override int getSizeMult() {
+    result = getPointedSize(this.(FunctionCall).getTarget().getParameter(0).getType())
   }
 }
 
@@ -285,11 +303,9 @@ class FreadBA extends BufferAccess {
     accessType = 2
   }
 
-  override int getSize() {
-    result =
-      this.(FunctionCall).getArgument(1).getValue().toInt() *
-        this.(FunctionCall).getArgument(2).getValue().toInt()
-  }
+  override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(1) }
+
+  override int getSizeMult() { result = this.(FunctionCall).getArgument(2).getValue().toInt() }
 }
 
 /**
@@ -318,11 +334,13 @@ class ArrayExprBA extends BufferAccess {
     accessType = 3
   }
 
+  override Expr getSizeExpr() { result = this.(ArrayExpr).getArrayOffset() }
+
   override int getSize() {
     // byte size of the buffer that would be required to support this
     // access
-    result =
-      (1 + this.(ArrayExpr).getArrayOffset().getValue().toInt()) *
-        this.(ArrayExpr).getType().getSize()
+    result = (1 + this.getSizeExpr().getValue().toInt()) * this.getSizeMult()
   }
+
+  override int getSizeMult() { result = this.(ArrayExpr).getType().getSize() }
 }