C++: more constant-array-overflow tests

rdmarsh2 · rdmarsh2 · commit 1c2c48c74a4c · 2023-07-03T16:59:02.000-04:00
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected
@@ -1,55 +1,101 @@
 edges
+| test.cpp:34:10:34:12 | buf | test.cpp:34:5:34:24 | access to array |
 | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array |
 | test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:24 | access to array |
+| test.cpp:39:14:39:16 | buf | test.cpp:39:9:39:19 | access to array |
 | test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:19 | access to array |
+| test.cpp:48:10:48:12 | buf | test.cpp:48:5:48:24 | access to array |
 | test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:22 | access to array |
 | test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array |
+| test.cpp:53:14:53:16 | buf | test.cpp:53:9:53:19 | access to array |
 | test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array |
 | test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array |
+| test.cpp:70:33:70:33 | p | test.cpp:71:5:71:17 | access to array |
 | test.cpp:70:33:70:33 | p | test.cpp:72:5:72:15 | access to array |
+| test.cpp:76:26:76:46 | & ... | test.cpp:66:32:66:32 | p |
+| test.cpp:76:32:76:34 | buf | test.cpp:76:26:76:46 | & ... |
 | test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p |
 | test.cpp:77:32:77:34 | buf | test.cpp:77:26:77:44 | & ... |
 | test.cpp:79:27:79:34 | buf | test.cpp:70:33:70:33 | p |
 | test.cpp:79:32:79:34 | buf | test.cpp:79:27:79:34 | buf |
 | test.cpp:85:34:85:36 | buf | test.cpp:87:5:87:31 | access to array |
 | test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array |
+| test.cpp:96:13:96:15 | arr | test.cpp:96:13:96:18 | access to array |
+| test.cpp:111:17:111:19 | arr | test.cpp:111:17:111:22 | access to array |
+| test.cpp:111:17:111:19 | arr | test.cpp:115:35:115:40 | access to array |
+| test.cpp:111:17:111:19 | arr | test.cpp:119:17:119:22 | access to array |
+| test.cpp:115:35:115:37 | arr | test.cpp:111:17:111:22 | access to array |
+| test.cpp:115:35:115:37 | arr | test.cpp:115:35:115:40 | access to array |
+| test.cpp:115:35:115:37 | arr | test.cpp:119:17:119:22 | access to array |
+| test.cpp:119:17:119:19 | arr | test.cpp:111:17:111:22 | access to array |
+| test.cpp:119:17:119:19 | arr | test.cpp:115:35:115:40 | access to array |
+| test.cpp:119:17:119:19 | arr | test.cpp:119:17:119:22 | access to array |
 | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array |
 | test.cpp:134:25:134:27 | arr | test.cpp:136:9:136:16 | ... += ... |
 | test.cpp:136:9:136:16 | ... += ... | test.cpp:138:13:138:15 | arr |
 | test.cpp:143:18:143:21 | asdf | test.cpp:134:25:134:27 | arr |
 | test.cpp:143:18:143:21 | asdf | test.cpp:143:18:143:21 | asdf |
+| test.cpp:146:26:146:26 | p indirection | test.cpp:148:6:148:9 | * ... |
+| test.cpp:156:12:156:14 | buf | test.cpp:156:12:156:18 | ... + ... |
+| test.cpp:156:12:156:18 | ... + ... | test.cpp:158:17:158:18 | & ... indirection |
+| test.cpp:158:17:158:18 | & ... indirection | test.cpp:146:26:146:26 | p indirection |
 nodes
+| test.cpp:34:5:34:24 | access to array | semmle.label | access to array |
+| test.cpp:34:10:34:12 | buf | semmle.label | buf |
 | test.cpp:35:5:35:22 | access to array | semmle.label | access to array |
 | test.cpp:35:10:35:12 | buf | semmle.label | buf |
 | test.cpp:36:5:36:24 | access to array | semmle.label | access to array |
 | test.cpp:36:10:36:12 | buf | semmle.label | buf |
+| test.cpp:39:9:39:19 | access to array | semmle.label | access to array |
+| test.cpp:39:14:39:16 | buf | semmle.label | buf |
 | test.cpp:43:9:43:19 | access to array | semmle.label | access to array |
 | test.cpp:43:14:43:16 | buf | semmle.label | buf |
+| test.cpp:48:5:48:24 | access to array | semmle.label | access to array |
+| test.cpp:48:10:48:12 | buf | semmle.label | buf |
 | test.cpp:49:5:49:22 | access to array | semmle.label | access to array |
 | test.cpp:49:10:49:12 | buf | semmle.label | buf |
 | test.cpp:50:5:50:24 | access to array | semmle.label | access to array |
 | test.cpp:50:10:50:12 | buf | semmle.label | buf |
+| test.cpp:53:9:53:19 | access to array | semmle.label | access to array |
+| test.cpp:53:14:53:16 | buf | semmle.label | buf |
 | test.cpp:57:9:57:19 | access to array | semmle.label | access to array |
 | test.cpp:57:14:57:16 | buf | semmle.label | buf |
 | test.cpp:61:9:61:19 | access to array | semmle.label | access to array |
 | test.cpp:61:14:61:16 | buf | semmle.label | buf |
 | test.cpp:66:32:66:32 | p | semmle.label | p |
+| test.cpp:66:32:66:32 | p | semmle.label | p |
 | test.cpp:70:33:70:33 | p | semmle.label | p |
+| test.cpp:71:5:71:17 | access to array | semmle.label | access to array |
 | test.cpp:72:5:72:15 | access to array | semmle.label | access to array |
+| test.cpp:76:26:76:46 | & ... | semmle.label | & ... |
+| test.cpp:76:32:76:34 | buf | semmle.label | buf |
 | test.cpp:77:26:77:44 | & ... | semmle.label | & ... |
 | test.cpp:77:32:77:34 | buf | semmle.label | buf |
 | test.cpp:79:27:79:34 | buf | semmle.label | buf |
 | test.cpp:79:32:79:34 | buf | semmle.label | buf |
 | test.cpp:85:34:85:36 | buf | semmle.label | buf |
 | test.cpp:87:5:87:31 | access to array | semmle.label | access to array |
 | test.cpp:88:5:88:27 | access to array | semmle.label | access to array |
+| test.cpp:96:13:96:15 | arr | semmle.label | arr |
+| test.cpp:96:13:96:18 | access to array | semmle.label | access to array |
+| test.cpp:111:17:111:19 | arr | semmle.label | arr |
+| test.cpp:111:17:111:22 | access to array | semmle.label | access to array |
+| test.cpp:115:35:115:37 | arr | semmle.label | arr |
+| test.cpp:115:35:115:40 | access to array | semmle.label | access to array |
+| test.cpp:119:17:119:19 | arr | semmle.label | arr |
+| test.cpp:119:17:119:22 | access to array | semmle.label | access to array |
 | test.cpp:128:9:128:11 | arr | semmle.label | arr |
 | test.cpp:128:9:128:14 | access to array | semmle.label | access to array |
 | test.cpp:134:25:134:27 | arr | semmle.label | arr |
 | test.cpp:136:9:136:16 | ... += ... | semmle.label | ... += ... |
 | test.cpp:138:13:138:15 | arr | semmle.label | arr |
 | test.cpp:143:18:143:21 | asdf | semmle.label | asdf |
 | test.cpp:143:18:143:21 | asdf | semmle.label | asdf |
+| test.cpp:146:26:146:26 | p indirection | semmle.label | p indirection |
+| test.cpp:148:6:148:9 | * ... | semmle.label | * ... |
+| test.cpp:156:12:156:14 | buf | semmle.label | buf |
+| test.cpp:156:12:156:18 | ... + ... | semmle.label | ... + ... |
+| test.cpp:158:17:158:18 | & ... indirection | semmle.label | & ... indirection |
 subpaths
 #select
 | test.cpp:35:5:35:22 | PointerAdd: access to array | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write |
@@ -63,3 +109,4 @@ subpaths
 | test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
 | test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write |
 | test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:143:18:143:21 | asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read |
+| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:148:6:148:9 | * ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp
@@ -142,3 +142,73 @@ void testStrncmp1() {
     char asdf[5];
     testStrncmp2(asdf);
 }
+
+void countdownBuf1(int **p) {
+  *--(*p) = 1; // GOOD [FALSE POSITIVE]
+  *--(*p) = 2; // GOOD
+  *--(*p) = 3; // GOOD
+  *--(*p) = 4; // GOOD
+}
+
+void countdownBuf2() {
+  int buf[4];
+
+  int *x = buf + 4;
+
+  countdownBuf1(&x);
+}
+
+int access(int *p) {
+    return p[0];
+}
+
+
+// unrolled loop style seen in crypto code.
+int countdownLength1(int *p, int len) {
+    while(len > 0) {
+        access(p);
+        p[1] = 1;
+        p[2] = 2;
+        p[3] = 3;
+        p[4] = 4;
+        p[5] = 5;
+        p[6] = 6; // BAD [FALSE NEGATIVE]
+        p[7] = 7; // BAD [FALSE NEGATIVE]
+        p += 8;
+        len -= 8;
+    }
+
+    return p[5];
+}
+
+int callCountdownLenght() {
+    
+    int buf[6];
+
+    return countdownLength1(buf, 6);
+}
+
+int countdownLength2() {
+    int buf[6];
+    int len = 6;
+    int *p = buf;
+    
+    if(len % 8) {
+        return -1;
+    }
+
+    while(len > 0) {
+        p[0] = 0;
+        p[1] = 1;
+        p[2] = 2;
+        p[3] = 3;
+        p[4] = 4;
+        p[5] = 5;
+        p[6] = 6; // GOOD
+        p[7] = 7; // GOOD
+        p += 8;
+        len -= 8;
+    }
+
+    return p[5];
+}
