C++: Expand heuristic to catch more sources.

MathiasVP · MathiasVP · commit 363514e4ca5a · 2023-05-10T08:27:29.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll
@@ -437,7 +437,7 @@ private module HeuristicAllocation {
     int sizeArg;
 
     HeuristicAllocationFunctionByName() {
-      Function.super.getName().matches("%alloc%") and
+      Function.super.getName().matches(["%alloc%", "%Alloc%"]) and
       Function.super.getUnspecifiedType() instanceof PointerType and
       sizeArg = unique( | | getAnUnsignedParameter(this))
     }
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/test.cpp
@@ -246,6 +246,6 @@ void test_flow_through_setter(unsigned size) {
 void* my_alloc(unsigned size);
 
 void foo(unsigned size) {
-    int* p = (int*)my_alloc(size); // BAD [NOT DETECTED]
+    int* p = (int*)my_alloc(size); // BAD
     memset(p, 0, size + 1);
 }

Original file line number	Diff line number	Diff line change
`@@ -437,7 +437,7 @@ private module HeuristicAllocation {`
`437`	`437`	`int sizeArg;`
`438`	`438`
`439`	`439`	`HeuristicAllocationFunctionByName() {`
`440`		`- Function.super.getName().matches("%alloc%") and`
	`440`	`+ Function.super.getName().matches(["%alloc%", "%Alloc%"]) and`
`441`	`441`	`Function.super.getUnspecifiedType() instanceof PointerType and`
`442`	`442`	`sizeArg = unique( \| \| getAnUnsignedParameter(this))`
`443`	`443`	`}`
Original file line number	Diff line number	Diff line change
`@@ -246,6 +246,6 @@ void test_flow_through_setter(unsigned size) {`
`246`	`246`	`void* my_alloc(unsigned size);`
`247`	`247`
`248`	`248`	`void foo(unsigned size) {`
`249`		`- int* p = (int*)my_alloc(size); // BAD [NOT DETECTED]`
	`249`	`+ int* p = (int*)my_alloc(size); // BAD`
`250`	`250`	`memset(p, 0, size + 1);`
`251`	`251`	`}`