C++: Add a test file that was internal (results as on main).

geoffw0 · geoffw0 · commit abb88e3dba48 · 2025-02-26T17:14:43.000Z
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/VeryLikelyOverrunWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/VeryLikelyOverrunWrite.expected
@@ -19,3 +19,14 @@
 | unions.c:26:2:26:7 | call to strcpy | This 'call to strcpy' operation requires 21 bytes but the destination is only 16 bytes. |
 | unions.c:27:2:27:7 | call to strcpy | This 'call to strcpy' operation requires 21 bytes but the destination is only 16 bytes. |
 | var_size_struct.cpp:22:3:22:8 | call to strcpy | This 'call to strcpy' operation requires 10 bytes but the destination is only 9 bytes. |
+| varbuffer.c:15:5:15:10 | call to strcpy | This 'call to strcpy' operation requires 2 bytes but the destination is only 1 bytes. |
+| varbuffer.c:16:5:16:10 | call to strcpy | This 'call to strcpy' operation requires 10 bytes but the destination is only 1 bytes. |
+| varbuffer.c:23:5:23:10 | call to strcpy | This 'call to strcpy' operation requires 12 bytes but the destination is only 11 bytes. |
+| varbuffer.c:24:5:24:10 | call to strcpy | This 'call to strcpy' operation requires 17 bytes but the destination is only 11 bytes. |
+| varbuffer.c:39:5:39:10 | call to strcpy | This 'call to strcpy' operation requires 3 bytes but the destination is only 2 bytes. |
+| varbuffer.c:40:5:40:10 | call to strcpy | This 'call to strcpy' operation requires 10 bytes but the destination is only 2 bytes. |
+| varbuffer.c:45:5:45:10 | call to strcpy | This 'call to strcpy' operation requires 10 bytes but the destination is only 2 bytes. |
+| varbuffer.c:46:5:46:10 | call to strcpy | This 'call to strcpy' operation requires 17 bytes but the destination is only 2 bytes. |
+| varbuffer.c:60:5:60:10 | call to strcpy | This 'call to strcpy' operation requires 2 bytes but the destination is only 1 bytes. |
+| varbuffer.c:61:5:61:10 | call to strcpy | This 'call to strcpy' operation requires 10 bytes but the destination is only 1 bytes. |
+| varbuffer.c:67:5:67:10 | call to strcpy | This 'call to strcpy' operation requires 17 bytes but the destination is only 11 bytes. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/varbuffer.c b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/varbuffer.c
@@ -0,0 +1,69 @@
+// Further test cases for CWE-120.
+
+typedef unsigned long size_t;
+
+typedef struct _MyVarStruct {
+    size_t len;
+    char buffer[1]; // variable size buffer
+} MyVarStruct;
+
+void testMyVarStruct()
+{
+    MyVarStruct *ptr1 = (MyVarStruct*)malloc(sizeof(MyVarStruct));
+    ptr1->len = 0;
+    strcpy(ptr1->buffer, ""); // GOOD
+    strcpy(ptr1->buffer, "1"); // BAD: length 2, but destination only has length 1
+    strcpy(ptr1->buffer, "123456789"); // BAD: length 10, but destination only has length 1
+    // ...
+
+    MyVarStruct *ptr2 = (MyVarStruct*)malloc(sizeof(MyVarStruct) + (sizeof(char) * 10));
+    ptr2->len = 10;
+    strcpy(ptr2->buffer, "123456789"); // GOOD
+    strcpy(ptr2->buffer, "1234567890"); // GOOD
+    strcpy(ptr2->buffer, "1234567890a"); // BAD: length 12, but destination only has length 11
+    strcpy(ptr2->buffer, "1234567890abcdef"); // BAD: length 17, but destination only has length 11
+    // ...
+}
+
+typedef struct MyFixedStruct1 {
+    int len;
+    char buffer[2]; // assumed to be a fixed size buffer
+} MyFixedStruct1;
+
+void testMyFixedStruct()
+{
+    MyFixedStruct1 *ptr1 = (MyFixedStruct1 *)malloc(sizeof(MyFixedStruct1));
+    ptr1->len = 1;
+    strcpy(ptr1->buffer, ""); // GOOD
+    strcpy(ptr1->buffer, "1"); // GOOD
+    strcpy(ptr1->buffer, "12"); // BAD: length 3, but destination only has length 2
+    strcpy(ptr1->buffer, "123456789"); // BAD: length 10, but destination only has length 2
+    // ...
+
+    MyFixedStruct1 *ptr2 = (MyFixedStruct1*)malloc(sizeof(MyFixedStruct1) + (sizeof(char) * 10));
+    ptr2->len = 11;
+    strcpy(ptr2->buffer, "123456789"); // BAD / DUBIOUS: length 10, but destination only has length 2
+    strcpy(ptr2->buffer, "1234567890abcdef"); // BAD: length 17, but destination only has length 2
+    // ...
+}
+
+typedef struct _MyFixedStruct2 {
+    char buffer[1]; // fixed size buffer
+    size_t len;
+} MyFixedStruct2;
+
+void testMyFixedStruct2()
+{
+    MyFixedStruct2 *ptr1 = (MyFixedStruct2 *)malloc(sizeof(MyFixedStruct2));
+    ptr1->len = 1;
+    strcpy(ptr1->buffer, ""); // GOOD
+    strcpy(ptr1->buffer, "1"); // BAD: length 2, but destination only has length 1
+    strcpy(ptr1->buffer, "123456789"); // BAD: length 10, but destination only has length 1
+    // ...
+
+    MyFixedStruct2 *ptr2 = (MyFixedStruct2*)malloc(sizeof(MyFixedStruct2) + (sizeof(char) * 10));
+    ptr2->len = 11;
+    strcpy(ptr2->buffer, "123456789"); // BAD: length 10, but destination only has length 1 [NOT DETECTED]
+    strcpy(ptr2->buffer, "1234567890abcdef"); // BAD: length 17, but destination only has length 1
+    // ...
+}
