C++: Fix 'strtol' model.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/models/Models.qll

@@ -19,6 +19,7 @@ private import implementations.Strtok
 private import implementations.Strset
 private import implementations.Strcrement
 private import implementations.Strnextc
+private import implementations.Strtol
 private import implementations.StdContainer
 private import implementations.StdPair
 private import implementations.StdMap

cpp/ql/lib/semmle/code/cpp/models/implementations/Pure.qll

@@ -13,7 +13,7 @@ private class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunctio
   PureStrFunction() {
     this.hasGlobalOrStdOrBslName([
         atoi(), "strcasestr", "strchnul", "strchr", "strchrnul", "strstr", "strpbrk", "strrchr",
-        "strspn", strtol(), strrev(), strcmp(), strlwr(), strupr()
+        "strspn", strrev(), strcmp(), strlwr(), strupr()
       ])
   }
 
@@ -70,8 +70,6 @@ private class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunctio
 
 private string atoi() { result = ["atof", "atoi", "atol", "atoll"] }
 
-private string strtol() { result = ["strtod", "strtof", "strtol", "strtoll", "strtoq", "strtoul"] }
-
 private string strlwr() {
   result = ["_strlwr", "_wcslwr", "_mbslwr", "_strlwr_l", "_wcslwr_l", "_mbslwr_l"]
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Strtol.qll

@@ -0,0 +1,50 @@
+import semmle.code.cpp.models.interfaces.ArrayFunction
+import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.SideEffect
+
+private string strtol() { result = ["strtod", "strtof", "strtol", "strtoll", "strtoq", "strtoul"] }
+
+/**
+ * The standard function `strtol` and its assorted variants
+ */
+private class Strtol extends AliasFunction, ArrayFunction, TaintFunction, SideEffectFunction {
+  Strtol() { this.hasGlobalOrStdOrBslName(strtol()) }
+
+  override predicate hasArrayInput(int bufParam) {
+    // All the functions given by `strtol()` takes a `const char*` input as the first parameter
+    bufParam = 0
+  }
+
+  override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    (
+      input.isParameter(0)
+      or
+      input.isParameterDeref(0)
+    ) and
+    output.isReturnValue()
+  }
+
+  override predicate parameterNeverEscapes(int i) {
+    this.getParameter(i).getUnspecifiedType() instanceof PointerType
+  }
+
+  override predicate parameterEscapesOnlyViaReturn(int i) { none() }
+
+  override predicate parameterIsAlwaysReturned(int i) { none() }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    i = 0 and
+    buffer = true
+  }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    i = 1 and buffer = false and mustWrite = false
+  }
+}