C++: Add test cases for HeuristicAllocationExpr in queries.

geoffw0 · geoffw0 · commit a9aa67177b76 · 2023-01-05T11:30:21.000Z
diff --git a/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests3.cpp b/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests3.cpp
@@ -1,4 +1,4 @@
-// tests1.cpp
+// tests3.cpp
 
 typedef unsigned int size_t;
 
@@ -66,3 +66,21 @@ void test3c()
 
 	delete buffer;
 }
+
+ // --- custom allocators ---
+ 
+void *MyMalloc1(size_t size) { return std::malloc(size); }
+void *MyMalloc2(size_t size);
+
+void tests4()
+{
+	const char *str4 = "1234";
+	char *buffer1 = 0;
+	char *buffer2 = 0;
+
+	buffer1 = (char *)MyMalloc1(strlen(str4)); // BAD [NOT DETECTED]
+	strcpy(buffer1, str4);
+
+	buffer2 = (char *)MyMalloc2(strlen(str4)); // BAD [NOT DETECTED]
+	strcpy(buffer2, str4);
+}
diff --git a/cpp/ql/test/query-tests/Critical/SizeCheck/test.c b/cpp/ql/test/query-tests/Critical/SizeCheck/test.c
@@ -58,3 +58,14 @@ void test_union() {
 	MyUnion *a = malloc(sizeof(MyUnion)); // GOOD
 	MyUnion *b = malloc(sizeof(MyStruct)); // BAD (too small)
 }
+
+// --- custom allocators ---
+ 
+void *MyMalloc1(size_t size) { return malloc(size); }
+void *MyMalloc2(size_t size);
+
+void customAllocatorTests()
+{
+    float *fptr1 = MyMalloc1(3); // BAD (too small) [NOT DETECTED]
+    float *fptr2 = MyMalloc2(3); // BAD (too small) [NOT DETECTED]
+}
diff --git a/cpp/ql/test/query-tests/Critical/SizeCheck/test2.c b/cpp/ql/test/query-tests/Critical/SizeCheck/test2.c
@@ -43,5 +43,13 @@ void good1(void) {
     free(dptr);
 }
 
-
-
+// --- custom allocators ---
+ 
+void *MyMalloc1(size_t size) { return malloc(size); }
+void *MyMalloc2(size_t size);
+
+void customAllocatorTests()
+{
+    double *dptr1 = MyMalloc1(33); // BAD -- Not a multiple of sizeof(double) [NOT DETECTED]
+    double *dptr2 = MyMalloc2(33); // BAD -- Not a multiple of sizeof(double) [NOT DETECTED]
+}
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test2.cpp
@@ -72,3 +72,21 @@ void bad4(char *str) {
     strcpy(buffer, str);
     free(buffer);
 }
+
+// --- custom allocators ---
+ 
+void *MyMalloc1(size_t size) { return malloc(size); }
+void *MyMalloc2(size_t size);
+
+void customAllocatorTests(char *str)
+{
+	{
+		char *buffer1 = (char *)MyMalloc1(strlen(str)); // BAD (no room for `\0` terminator) [NOT DETECTED]
+		strcpy(buffer1, str);
+	}
+
+	{
+		char *buffer2 = (char *)MyMalloc2(strlen(str)); // BAD (no room for `\0` terminator) [NOT DETECTED]
+		strcpy(buffer2, str);
+	}
+}
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@@ -25,6 +25,9 @@ edges
 | test.cpp:259:20:259:25 | call to getenv | test.cpp:263:11:263:29 | ... * ... |
 | test.cpp:289:17:289:20 | size [post update] | test.cpp:291:11:291:28 | ... * ... |
 | test.cpp:305:18:305:21 | size [post update] | test.cpp:308:10:308:27 | ... * ... |
+| test.cpp:348:24:348:27 | size | test.cpp:348:46:348:49 | size |
+| test.cpp:353:18:353:23 | call to getenv | test.cpp:355:35:355:38 | size |
+| test.cpp:355:35:355:38 | size | test.cpp:348:24:348:27 | size |
 nodes
 | test.cpp:39:27:39:30 | argv | semmle.label | argv |
 | test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
@@ -58,6 +61,10 @@ nodes
 | test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:305:18:305:21 | size [post update] | semmle.label | size [post update] |
 | test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:348:24:348:27 | size | semmle.label | size |
+| test.cpp:348:46:348:49 | size | semmle.label | size |
+| test.cpp:353:18:353:23 | call to getenv | semmle.label | call to getenv |
+| test.cpp:355:35:355:38 | size | semmle.label | size |
 subpaths
 #select
 | test.cpp:43:31:43:36 | call to malloc | test.cpp:39:27:39:30 | argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv | user input (a command-line argument) |
@@ -76,3 +83,4 @@ subpaths
 | test.cpp:263:4:263:9 | call to malloc | test.cpp:259:20:259:25 | call to getenv | test.cpp:263:11:263:29 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:259:20:259:25 | call to getenv | user input (an environment variable) |
 | test.cpp:291:4:291:9 | call to malloc | test.cpp:251:18:251:23 | call to getenv | test.cpp:291:11:291:28 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:251:18:251:23 | call to getenv | user input (an environment variable) |
 | test.cpp:308:3:308:8 | call to malloc | test.cpp:251:18:251:23 | call to getenv | test.cpp:308:10:308:27 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:251:18:251:23 | call to getenv | user input (an environment variable) |
+| test.cpp:348:39:348:44 | call to malloc | test.cpp:353:18:353:23 | call to getenv | test.cpp:348:46:348:49 | size | This allocation size is derived from $@ and might overflow. | test.cpp:353:18:353:23 | call to getenv | user input (an environment variable) |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
@@ -342,3 +342,16 @@ void equality_barrier() {
 		int* a = (int*)malloc(size1 * sizeof(int)); // GOOD
 	}
 }
+
+// --- custom allocators ---
+ 
+void *MyMalloc1(size_t size) { return malloc(size); } // [detected here]
+void *MyMalloc2(size_t size);
+
+void customAllocatorTests()
+{
+	int size = atoi(getenv("USER"));
+
+	char *chars1 = (char *)MyMalloc1(size); // BAD [detected above]
+	char *chars2 = (char *)MyMalloc2(size); // BAD [NOT DETECTED]
+}
