C++: Fix offsetof bug.

geoffw0 · geoffw0 · commit ae25399a4713 · 2025-02-21T18:58:56.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll b/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
@@ -108,6 +108,7 @@ private int isSource(Expr bufferExpr, Element why) {
     result = bufferVar.getUnspecifiedType().(ArrayType).getSize() and
     why = bufferVar and
     not memberMayBeVarSize(_, bufferVar) and
+    not exists(BuiltInOperationBuiltInOffsetOf offsetof | offsetof.getAChild*() = bufferExpr) and
     // zero sized arrays are likely to have special usage, for example
     // behaving a bit like a 'union' overlapping other fields.
     not result = 0
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected
@@ -100,7 +100,6 @@
 | tests.cpp:938:2:938:17 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:906:11:906:12 | xs | array |
 | tests.cpp:940:2:940:17 | access to array | This array indexing operation accesses byte offset 399 but the $@ is only 40 bytes. | tests.cpp:906:11:906:12 | xs | array |
 | tests.cpp:941:2:941:18 | access to array | This array indexing operation accesses byte offset 403 but the $@ is only 40 bytes. | tests.cpp:906:11:906:12 | xs | array |
-| tests.cpp:969:10:969:37 | access to array | This array indexing operation accesses byte offset 43 but the $@ is only 40 bytes. | tests.cpp:959:6:959:11 | values | array |
 | tests_restrict.c:12:2:12:7 | call to memcpy | This 'memcpy' operation accesses 2 bytes but the $@ is only 1 byte. | tests_restrict.c:7:6:7:13 | smallbuf | source buffer |
 | unions.cpp:26:2:26:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:21:10:21:11 | mu | destination buffer |
 | unions.cpp:30:2:30:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:15:7:15:11 | small | destination buffer |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
@@ -966,7 +966,7 @@ void test27(size_t s) {
 		// ...
 	}
 
-	if (s < offsetof(Array10, values[10])) { // GOOD (harmless) [FALSE POSITIVE]
+	if (s < offsetof(Array10, values[10])) { // GOOD (harmless)
 		// ...
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -966,7 +966,7 @@ void test27(size_t s) {`
`966`	`966`	`// ...`
`967`	`967`	`}`
`968`	`968`
`969`		`- if (s < offsetof(Array10, values[10])) { // GOOD (harmless) [FALSE POSITIVE]`
	`969`	`+ if (s < offsetof(Array10, values[10])) { // GOOD (harmless)`
`970`	`970`	`// ...`
`971`	`971`	`}`
`972`	`972`