C++: Test cases motivated by a real world FP.

Author: geoffw0

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected

@@ -105,6 +105,8 @@
 | tests.cpp:994:2:994:9 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:981:6:981:8 | arr | array |
 | tests.cpp:1001:2:1001:9 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:981:6:981:8 | arr | array |
 | tests.cpp:1009:2:1009:9 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:981:6:981:8 | arr | array |
+| tests.cpp:1028:2:1028:7 | call to memset | This 'memset' operation accesses 120 bytes but the $@ is only 40 bytes. | tests.cpp:1020:12:1020:15 | arr1 | destination buffer |
+| tests.cpp:1031:2:1031:7 | call to memset | This 'memset' operation accesses 130 bytes but the $@ is only 40 bytes. | tests.cpp:1020:12:1020:15 | arr1 | destination buffer |
 | tests_restrict.c:12:2:12:7 | call to memcpy | This 'memcpy' operation accesses 2 bytes but the $@ is only 1 byte. | tests_restrict.c:7:6:7:13 | smallbuf | source buffer |
 | unions.cpp:26:2:26:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:21:10:21:11 | mu | destination buffer |
 | unions.cpp:30:2:30:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:15:7:15:11 | small | destination buffer |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected

@@ -27,8 +27,8 @@ edges
 | main.cpp:9:29:9:32 | *argv | tests_restrict.c:15:41:15:44 | *argv | provenance |  |
 | main.cpp:9:29:9:32 | tests_restrict_main output argument | main.cpp:10:20:10:23 | **argv | provenance |  |
 | main.cpp:9:29:9:32 | tests_restrict_main output argument | main.cpp:10:20:10:23 | *argv | provenance |  |
-| main.cpp:10:20:10:23 | **argv | tests.cpp:1017:32:1017:35 | **argv | provenance |  |
-| main.cpp:10:20:10:23 | *argv | tests.cpp:1017:32:1017:35 | *argv | provenance |  |
+| main.cpp:10:20:10:23 | **argv | tests.cpp:1034:32:1034:35 | **argv | provenance |  |
+| main.cpp:10:20:10:23 | *argv | tests.cpp:1034:32:1034:35 | *argv | provenance |  |
 | overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | provenance |  |
 | overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:23:45:23:48 | *argv | provenance |  |
 | test_buffer_overrun.cpp:32:46:32:49 | **argv | test_buffer_overrun.cpp:32:46:32:49 | **argv | provenance |  |
@@ -41,12 +41,12 @@ edges
 | tests.cpp:649:14:649:14 | *s [*home] | tests.cpp:649:14:649:19 | *home | provenance |  |
 | tests.cpp:649:14:649:14 | *s [*home] | tests.cpp:649:16:649:19 | *home | provenance |  |
 | tests.cpp:649:16:649:19 | *home | tests.cpp:649:14:649:19 | *home | provenance |  |
-| tests.cpp:1017:32:1017:35 | **argv | tests.cpp:1042:9:1042:15 | *access to array | provenance |  |
-| tests.cpp:1017:32:1017:35 | **argv | tests.cpp:1043:9:1043:15 | *access to array | provenance |  |
-| tests.cpp:1017:32:1017:35 | *argv | tests.cpp:1042:9:1042:15 | *access to array | provenance |  |
-| tests.cpp:1017:32:1017:35 | *argv | tests.cpp:1043:9:1043:15 | *access to array | provenance |  |
-| tests.cpp:1042:9:1042:15 | *access to array | tests.cpp:634:19:634:24 | *source | provenance |  |
-| tests.cpp:1043:9:1043:15 | *access to array | tests.cpp:643:19:643:24 | *source | provenance |  |
+| tests.cpp:1034:32:1034:35 | **argv | tests.cpp:1059:9:1059:15 | *access to array | provenance |  |
+| tests.cpp:1034:32:1034:35 | **argv | tests.cpp:1060:9:1060:15 | *access to array | provenance |  |
+| tests.cpp:1034:32:1034:35 | *argv | tests.cpp:1059:9:1059:15 | *access to array | provenance |  |
+| tests.cpp:1034:32:1034:35 | *argv | tests.cpp:1060:9:1060:15 | *access to array | provenance |  |
+| tests.cpp:1059:9:1059:15 | *access to array | tests.cpp:634:19:634:24 | *source | provenance |  |
+| tests.cpp:1060:9:1060:15 | *access to array | tests.cpp:643:19:643:24 | *source | provenance |  |
 | tests_restrict.c:15:41:15:44 | **argv | tests_restrict.c:15:41:15:44 | **argv | provenance |  |
 | tests_restrict.c:15:41:15:44 | *argv | tests_restrict.c:15:41:15:44 | *argv | provenance |  |
 nodes
@@ -80,10 +80,10 @@ nodes
 | tests.cpp:649:14:649:14 | *s [*home] | semmle.label | *s [*home] |
 | tests.cpp:649:14:649:19 | *home | semmle.label | *home |
 | tests.cpp:649:16:649:19 | *home | semmle.label | *home |
-| tests.cpp:1017:32:1017:35 | **argv | semmle.label | **argv |
-| tests.cpp:1017:32:1017:35 | *argv | semmle.label | *argv |
-| tests.cpp:1042:9:1042:15 | *access to array | semmle.label | *access to array |
-| tests.cpp:1043:9:1043:15 | *access to array | semmle.label | *access to array |
+| tests.cpp:1034:32:1034:35 | **argv | semmle.label | **argv |
+| tests.cpp:1034:32:1034:35 | *argv | semmle.label | *argv |
+| tests.cpp:1059:9:1059:15 | *access to array | semmle.label | *access to array |
+| tests.cpp:1060:9:1060:15 | *access to array | semmle.label | *access to array |
 | tests_restrict.c:15:41:15:44 | **argv | semmle.label | **argv |
 | tests_restrict.c:15:41:15:44 | **argv | semmle.label | **argv |
 | tests_restrict.c:15:41:15:44 | *argv | semmle.label | *argv |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp

@@ -1014,6 +1014,23 @@ void test28() {
 	ptr5[-1] = 0; // GOOD (depending what cond() does)
 }
 
+typedef int myInt29;
+typedef myInt29 myArray29[10];
+struct _myStruct29 {
+	myArray29 arr1;
+	myInt29 arr2[20];
+};
+typedef _myStruct29 myStruct29;
+
+void test29() {
+	myStruct29 *ptr;
+
+	memset(ptr->arr1, 0, sizeof(ptr->arr1) + sizeof(ptr->arr2)); // GOOD (overwrites arr1, arr2) [FALSE POSITIVE]
+	memset(&(ptr->arr1[0]), 0, sizeof(ptr->arr1) + sizeof(ptr->arr2)); // GOOD (overwrites arr1, arr2)
+
+	memset(ptr->arr1, 0, sizeof(ptr->arr1) + sizeof(ptr->arr2) + 10); // BAD
+}
+
 int tests_main(int argc, char *argv[])
 {
 	long long arr17[19];
@@ -1044,6 +1061,7 @@ int tests_main(int argc, char *argv[])
 	test26();
 	test27(argc);
 	test28();
+	test29();
 
 	return 0;
 }