Adding BadOverflowGuard qhelp, example code for help, and ql file.

Author: bdrodes

cpp/ql/src/Microsoft/Likely Bugs/Conversion/BadOverflowGuard.qhelp

@@ -0,0 +1,20 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+  <p>Checking for overflow of an addition by comparing against one of the arguments of the addition fails if the size of all the argument types are smaller than 4 bytes. This is because the result of the addition is promoted to a 4 byte int.</p>
+</overview>
+  
+<recommendation>
+<p>Check the overflow by comparing the addition against a value that is at least 4 bytes.</p>
+</recommendation>
+
+<example>
+  <p>In this example, the result of the comparison will result in an integer overflow.</p>
+  <sample src="BadOverflowGuardBadCode.c" />
+
+  <p>To fix the bug, check the overflow by comparing the addition against a value that is at least 4 bytes.</p>
+  <sample src="BadOverflowGuardGoodCode.c" />
+</example>
+</qhelp>

cpp/ql/src/Microsoft/Likely Bugs/Conversion/BadOverflowGuard.ql

@@ -0,0 +1,31 @@
+/**
+ * @name Bad overflow check
+ * @description Checking for overflow of an addition by comparing against one
+ *              of the arguments of the addition fails if the size of all the
+ *              argument types are smaller than 4 bytes. This is because the
+ *              result of the addition is promoted to a 4 byte int.
+ * @kind problem
+ * @problem.severity error
+ * @tags security
+ *       external/cwe/cwe-190
+ *       external/cwe/cwe-191
+ * @id cpp/badoverflowguard
+ */
+
+import cpp
+
+/*
+ * Example:
+ *
+ * uint16 v, uint16 b
+ * if ((v + b < v) <-- bad check for overflow
+ */
+
+from AddExpr a, Variable v, RelationalOperation cmp
+where
+  a.getAnOperand() = v.getAnAccess() and
+  forall(Expr op | op = a.getAnOperand() | op.getType().getSize() < 4) and
+  cmp.getAnOperand() = a and
+  cmp.getAnOperand() = v.getAnAccess() and
+  not a.getExplicitlyConverted().getType().getSize() < 4
+select cmp, "Bad overflow check"

cpp/ql/src/Microsoft/Likely Bugs/Conversion/BadOverflowGuardBadCode.c

@@ -0,0 +1,9 @@
+unsigned short CheckForInt16OverflowBadCode(unsigned short v, unsigned short b)
+{
+    if (v + b < v) // BUG: "v + b" will be promoted to 32 bits
+    {
+        // ... do something
+    }
+
+    return v + b;
+}

cpp/ql/src/Microsoft/Likely Bugs/Conversion/BadOverflowGuardGoodCode.c

@@ -0,0 +1,9 @@
+unsigned short CheckForInt16OverflowCorrectCode(unsigned short v, unsigned short b)
+{
+    if (v + b > 0x00FFFF)
+    {
+        // ... do something
+    }
+
+    return v + b;
+}