Merge pull request github#13790 from MathiasVP/add-invalid-ptr-false-positive

MathiasVP · web-flow · commit 69ea7d92cd0b · 2023-07-21T16:42:53.000+01:00
C++: Add false positive to `cpp/invalid-pointer-deref`
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
@@ -221,6 +221,8 @@ edges
 | test.cpp:656:3:656:6 | ... ++ | test.cpp:662:3:662:11 | ... = ... |
 | test.cpp:656:3:656:6 | ... ++ | test.cpp:662:3:662:11 | ... = ... |
 | test.cpp:667:14:667:31 | new[] | test.cpp:675:7:675:23 | ... = ... |
+| test.cpp:695:13:695:26 | new[] | test.cpp:698:5:698:10 | ... += ... |
+| test.cpp:698:5:698:10 | ... += ... | test.cpp:701:15:701:16 | * ... |
 nodes
 | test.cpp:4:15:4:20 | call to malloc | semmle.label | call to malloc |
 | test.cpp:5:15:5:22 | ... + ... | semmle.label | ... + ... |
@@ -370,6 +372,9 @@ nodes
 | test.cpp:662:3:662:11 | ... = ... | semmle.label | ... = ... |
 | test.cpp:667:14:667:31 | new[] | semmle.label | new[] |
 | test.cpp:675:7:675:23 | ... = ... | semmle.label | ... = ... |
+| test.cpp:695:13:695:26 | new[] | semmle.label | new[] |
+| test.cpp:698:5:698:10 | ... += ... | semmle.label | ... += ... |
+| test.cpp:701:15:701:16 | * ... | semmle.label | * ... |
 subpaths
 #select
 | test.cpp:6:14:6:15 | * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
@@ -405,3 +410,4 @@ subpaths
 | test.cpp:647:5:647:19 | ... = ... | test.cpp:642:14:642:31 | new[] | test.cpp:647:5:647:19 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:642:14:642:31 | new[] | new[] | test.cpp:647:8:647:14 | src_pos | src_pos |
 | test.cpp:662:3:662:11 | ... = ... | test.cpp:652:14:652:27 | new[] | test.cpp:662:3:662:11 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:652:14:652:27 | new[] | new[] | test.cpp:653:19:653:22 | size | size |
 | test.cpp:675:7:675:23 | ... = ... | test.cpp:667:14:667:31 | new[] | test.cpp:675:7:675:23 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:667:14:667:31 | new[] | new[] | test.cpp:675:10:675:18 | ... ++ | ... ++ |
+| test.cpp:701:15:701:16 | * ... | test.cpp:695:13:695:26 | new[] | test.cpp:701:15:701:16 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:695:13:695:26 | new[] | new[] | test.cpp:696:19:696:22 | size | size |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
@@ -689,4 +689,15 @@ void test_missing_call_context_2(unsigned size) {
   int* p = new int[size];
   int* end_minus_one = pointer_arithmetic(p, size - 1);
   *end_minus_one = '0'; // $ deref=L680->L690->L691 // GOOD
+}
+
+void test34(unsigned size) {
+  char *p = new char[size];
+  char *end = p + size + 1; // $ alloc=L695
+  if (p + 1 < end) {
+    p += 1;
+  }
+  if (p + 1 < end) {
+    int val = *p; // $ deref=L698->L700->L701 // GOOD [FALSE POSITIVE]
+  }
 }
