C++: Add a FP caused by bad range analysis for subtraction.

Author: MathiasVP

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected

@@ -228,6 +228,7 @@ edges
 | test.cpp:732:16:732:26 | ... + ... | test.cpp:732:16:732:26 | ... + ... |
 | test.cpp:732:16:732:26 | ... + ... | test.cpp:733:5:733:12 | ... = ... |
 | test.cpp:732:16:732:26 | ... + ... | test.cpp:733:5:733:12 | ... = ... |
+| test.cpp:739:12:739:21 | new[] | test.cpp:742:5:742:16 | ... = ... |
 nodes
 | test.cpp:4:15:4:20 | call to malloc | semmle.label | call to malloc |
 | test.cpp:5:15:5:22 | ... + ... | semmle.label | ... + ... |
@@ -382,6 +383,8 @@ nodes
 | test.cpp:732:16:732:26 | ... + ... | semmle.label | ... + ... |
 | test.cpp:732:16:732:26 | ... + ... | semmle.label | ... + ... |
 | test.cpp:733:5:733:12 | ... = ... | semmle.label | ... = ... |
+| test.cpp:739:12:739:21 | new[] | semmle.label | new[] |
+| test.cpp:742:5:742:16 | ... = ... | semmle.label | ... = ... |
 subpaths
 #select
 | test.cpp:6:14:6:15 | * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
@@ -417,3 +420,4 @@ subpaths
 | test.cpp:701:15:701:16 | * ... | test.cpp:695:13:695:26 | new[] | test.cpp:701:15:701:16 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:695:13:695:26 | new[] | new[] | test.cpp:696:19:696:22 | size | size |
 | test.cpp:706:12:706:13 | * ... | test.cpp:711:13:711:26 | new[] | test.cpp:706:12:706:13 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:711:13:711:26 | new[] | new[] | test.cpp:712:19:712:22 | size | size |
 | test.cpp:733:5:733:12 | ... = ... | test.cpp:730:12:730:28 | new[] | test.cpp:733:5:733:12 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:730:12:730:28 | new[] | new[] | test.cpp:732:21:732:25 | ... + ... | ... + ... |
+| test.cpp:742:5:742:16 | ... = ... | test.cpp:739:12:739:21 | new[] | test.cpp:742:5:742:16 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:739:12:739:21 | new[] | new[] | test.cpp:742:7:742:11 | ... - ... | ... - ... |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp

@@ -733,3 +733,12 @@ void test36(unsigned size, unsigned n) {
     *end = 0; // $ deref=L733 // BAD
   }
 }
+
+void test37(unsigned long n)
+{
+  int *p = new int[n];
+  for (unsigned long i = n; i != 0u; i--)
+  {
+    p[n - i] = 0; // $ alloc=L739 deref=L742 // GOOD [FALSE POSITIVE]
+  }
+}

cpp/ql/test/library-tests/ir/range-analysis/test.cpp

@@ -95,3 +95,25 @@ void gotoLoop(bool b1, bool b2)
     }
   }
 }
+
+void test_sub(int x, int y, int n) {
+  if(x > 0 && x < 500) {
+    if(y > 0 && y < 10) {
+      range(x - y); // $ range="<=InitializeParameter: x-1" range=<=498
+    }
+
+    if(n > 0 && n < 100) {
+      for (int i = 0; i < n; i++)
+      {
+        range(n - i); // $ range=<=99 range="<=InitializeParameter: n | Store: n+0"
+        range(i - n); // $ range="<=InitializeParameter: n | Store: n-2" range=<=97 range="<=Phi: i-1"
+      }
+
+      for (int i = n; i != 0; i--)
+      {
+        range(n - i); // $ SPURIOUS: overflow=+
+        range(i - n); // $ range="<=Phi: i-1" SPURIOUS: overflow=-
+      }
+    }
+  }
+}