Skip to content

Commit b651c02

Browse files
MathiasVPMathiasVP
authored
Merge pull request github#13653 from rdmarsh2/rdmarsh2/cpp/constant-array-overflow-tests
C++: more constant-array-overflow tests
2 parents dc6fd8f + d24a05a commit b651c02

File tree

2 files changed

+118
-38
lines changed

2 files changed

+118
-38
lines changed

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected

Lines changed: 48 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -35,22 +35,26 @@ edges
3535
| test.cpp:136:9:136:16 | ... += ... | test.cpp:138:13:138:15 | arr |
3636
| test.cpp:143:18:143:21 | asdf | test.cpp:134:25:134:27 | arr |
3737
| test.cpp:143:18:143:21 | asdf | test.cpp:143:18:143:21 | asdf |
38-
| test.cpp:148:23:148:28 | buffer | test.cpp:150:5:150:11 | access to array |
39-
| test.cpp:148:23:148:28 | buffer | test.cpp:151:5:151:11 | access to array |
40-
| test.cpp:159:25:159:29 | array | test.cpp:161:5:161:10 | access to array |
41-
| test.cpp:159:25:159:29 | array | test.cpp:162:5:162:10 | access to array |
42-
| test.cpp:175:30:175:30 | p | test.cpp:191:27:191:30 | access to array |
43-
| test.cpp:175:30:175:30 | p | test.cpp:191:27:191:30 | access to array |
44-
| test.cpp:204:14:204:20 | buffer3 | test.cpp:175:30:175:30 | p |
45-
| test.cpp:204:14:204:20 | buffer3 | test.cpp:204:14:204:20 | buffer3 |
46-
| test.cpp:207:35:207:35 | p | test.cpp:208:14:208:14 | p |
47-
| test.cpp:208:14:208:14 | p | test.cpp:175:30:175:30 | p |
48-
| test.cpp:213:19:213:25 | buffer1 | test.cpp:207:35:207:35 | p |
49-
| test.cpp:213:19:213:25 | buffer1 | test.cpp:213:19:213:25 | buffer1 |
50-
| test.cpp:216:19:216:25 | buffer2 | test.cpp:207:35:207:35 | p |
51-
| test.cpp:216:19:216:25 | buffer2 | test.cpp:216:19:216:25 | buffer2 |
52-
| test.cpp:219:19:219:25 | buffer3 | test.cpp:207:35:207:35 | p |
53-
| test.cpp:219:19:219:25 | buffer3 | test.cpp:219:19:219:25 | buffer3 |
38+
| test.cpp:146:26:146:26 | p indirection | test.cpp:148:6:148:9 | * ... |
39+
| test.cpp:156:12:156:14 | buf | test.cpp:156:12:156:18 | ... + ... |
40+
| test.cpp:156:12:156:18 | ... + ... | test.cpp:158:17:158:18 | & ... indirection |
41+
| test.cpp:158:17:158:18 | & ... indirection | test.cpp:146:26:146:26 | p indirection |
42+
| test.cpp:218:23:218:28 | buffer | test.cpp:220:5:220:11 | access to array |
43+
| test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array |
44+
| test.cpp:229:25:229:29 | array | test.cpp:231:5:231:10 | access to array |
45+
| test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array |
46+
| test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array |
47+
| test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array |
48+
| test.cpp:274:14:274:20 | buffer3 | test.cpp:245:30:245:30 | p |
49+
| test.cpp:274:14:274:20 | buffer3 | test.cpp:274:14:274:20 | buffer3 |
50+
| test.cpp:277:35:277:35 | p | test.cpp:278:14:278:14 | p |
51+
| test.cpp:278:14:278:14 | p | test.cpp:245:30:245:30 | p |
52+
| test.cpp:283:19:283:25 | buffer1 | test.cpp:277:35:277:35 | p |
53+
| test.cpp:283:19:283:25 | buffer1 | test.cpp:283:19:283:25 | buffer1 |
54+
| test.cpp:286:19:286:25 | buffer2 | test.cpp:277:35:277:35 | p |
55+
| test.cpp:286:19:286:25 | buffer2 | test.cpp:286:19:286:25 | buffer2 |
56+
| test.cpp:289:19:289:25 | buffer3 | test.cpp:277:35:277:35 | p |
57+
| test.cpp:289:19:289:25 | buffer3 | test.cpp:289:19:289:25 | buffer3 |
5458
nodes
5559
| test.cpp:34:5:34:24 | access to array | semmle.label | access to array |
5660
| test.cpp:34:10:34:12 | buf | semmle.label | buf |
@@ -103,25 +107,30 @@ nodes
103107
| test.cpp:138:13:138:15 | arr | semmle.label | arr |
104108
| test.cpp:143:18:143:21 | asdf | semmle.label | asdf |
105109
| test.cpp:143:18:143:21 | asdf | semmle.label | asdf |
106-
| test.cpp:148:23:148:28 | buffer | semmle.label | buffer |
107-
| test.cpp:150:5:150:11 | access to array | semmle.label | access to array |
108-
| test.cpp:151:5:151:11 | access to array | semmle.label | access to array |
109-
| test.cpp:159:25:159:29 | array | semmle.label | array |
110-
| test.cpp:161:5:161:10 | access to array | semmle.label | access to array |
111-
| test.cpp:162:5:162:10 | access to array | semmle.label | access to array |
112-
| test.cpp:175:30:175:30 | p | semmle.label | p |
113-
| test.cpp:175:30:175:30 | p | semmle.label | p |
114-
| test.cpp:191:27:191:30 | access to array | semmle.label | access to array |
115-
| test.cpp:204:14:204:20 | buffer3 | semmle.label | buffer3 |
116-
| test.cpp:204:14:204:20 | buffer3 | semmle.label | buffer3 |
117-
| test.cpp:207:35:207:35 | p | semmle.label | p |
118-
| test.cpp:208:14:208:14 | p | semmle.label | p |
119-
| test.cpp:213:19:213:25 | buffer1 | semmle.label | buffer1 |
120-
| test.cpp:213:19:213:25 | buffer1 | semmle.label | buffer1 |
121-
| test.cpp:216:19:216:25 | buffer2 | semmle.label | buffer2 |
122-
| test.cpp:216:19:216:25 | buffer2 | semmle.label | buffer2 |
123-
| test.cpp:219:19:219:25 | buffer3 | semmle.label | buffer3 |
124-
| test.cpp:219:19:219:25 | buffer3 | semmle.label | buffer3 |
110+
| test.cpp:146:26:146:26 | p indirection | semmle.label | p indirection |
111+
| test.cpp:148:6:148:9 | * ... | semmle.label | * ... |
112+
| test.cpp:156:12:156:14 | buf | semmle.label | buf |
113+
| test.cpp:156:12:156:18 | ... + ... | semmle.label | ... + ... |
114+
| test.cpp:158:17:158:18 | & ... indirection | semmle.label | & ... indirection |
115+
| test.cpp:218:23:218:28 | buffer | semmle.label | buffer |
116+
| test.cpp:220:5:220:11 | access to array | semmle.label | access to array |
117+
| test.cpp:221:5:221:11 | access to array | semmle.label | access to array |
118+
| test.cpp:229:25:229:29 | array | semmle.label | array |
119+
| test.cpp:231:5:231:10 | access to array | semmle.label | access to array |
120+
| test.cpp:232:5:232:10 | access to array | semmle.label | access to array |
121+
| test.cpp:245:30:245:30 | p | semmle.label | p |
122+
| test.cpp:245:30:245:30 | p | semmle.label | p |
123+
| test.cpp:261:27:261:30 | access to array | semmle.label | access to array |
124+
| test.cpp:274:14:274:20 | buffer3 | semmle.label | buffer3 |
125+
| test.cpp:274:14:274:20 | buffer3 | semmle.label | buffer3 |
126+
| test.cpp:277:35:277:35 | p | semmle.label | p |
127+
| test.cpp:278:14:278:14 | p | semmle.label | p |
128+
| test.cpp:283:19:283:25 | buffer1 | semmle.label | buffer1 |
129+
| test.cpp:283:19:283:25 | buffer1 | semmle.label | buffer1 |
130+
| test.cpp:286:19:286:25 | buffer2 | semmle.label | buffer2 |
131+
| test.cpp:286:19:286:25 | buffer2 | semmle.label | buffer2 |
132+
| test.cpp:289:19:289:25 | buffer3 | semmle.label | buffer3 |
133+
| test.cpp:289:19:289:25 | buffer3 | semmle.label | buffer3 |
125134
subpaths
126135
#select
127136
| test.cpp:35:5:35:22 | PointerAdd: access to array | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write |
@@ -136,6 +145,7 @@ subpaths
136145
| test.cpp:88:5:88:27 | PointerAdd: access to array | test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:88:5:88:31 | Store: ... = ... | write |
137146
| test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write |
138147
| test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:143:18:143:21 | asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read |
139-
| test.cpp:151:5:151:11 | PointerAdd: access to array | test.cpp:148:23:148:28 | buffer | test.cpp:151:5:151:11 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:147:19:147:24 | buffer | buffer | test.cpp:151:5:151:15 | Store: ... = ... | write |
140-
| test.cpp:162:5:162:10 | PointerAdd: access to array | test.cpp:159:25:159:29 | array | test.cpp:162:5:162:10 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:158:10:158:14 | array | array | test.cpp:162:5:162:19 | Store: ... = ... | write |
141-
| test.cpp:191:27:191:30 | PointerAdd: access to array | test.cpp:216:19:216:25 | buffer2 | test.cpp:191:27:191:30 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:215:19:215:25 | buffer2 | buffer2 | test.cpp:191:27:191:30 | Load: access to array | read |
148+
| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:148:6:148:9 | * ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write |
149+
| test.cpp:221:5:221:11 | PointerAdd: access to array | test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:217:19:217:24 | buffer | buffer | test.cpp:221:5:221:15 | Store: ... = ... | write |
150+
| test.cpp:232:5:232:10 | PointerAdd: access to array | test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:228:10:228:14 | array | array | test.cpp:232:5:232:19 | Store: ... = ... | write |
151+
| test.cpp:261:27:261:30 | PointerAdd: access to array | test.cpp:286:19:286:25 | buffer2 | test.cpp:261:27:261:30 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:285:19:285:25 | buffer2 | buffer2 | test.cpp:261:27:261:30 | Load: access to array | read |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -143,6 +143,76 @@ void testStrncmp1() {
143143
testStrncmp2(asdf);
144144
}
145145

146+
void countdownBuf1(int **p) {
147+
*--(*p) = 1; // GOOD [FALSE POSITIVE]
148+
*--(*p) = 2; // GOOD
149+
*--(*p) = 3; // GOOD
150+
*--(*p) = 4; // GOOD
151+
}
152+
153+
void countdownBuf2() {
154+
int buf[4];
155+
156+
int *x = buf + 4;
157+
158+
countdownBuf1(&x);
159+
}
160+
161+
int access(int *p) {
162+
return p[0];
163+
}
164+
165+
166+
// unrolled loop style seen in crypto code.
167+
int countdownLength1(int *p, int len) {
168+
while(len > 0) {
169+
access(p);
170+
p[1] = 1;
171+
p[2] = 2;
172+
p[3] = 3;
173+
p[4] = 4;
174+
p[5] = 5;
175+
p[6] = 6; // BAD [FALSE NEGATIVE]
176+
p[7] = 7; // BAD [FALSE NEGATIVE]
177+
p += 8;
178+
len -= 8;
179+
}
180+
181+
return p[5];
182+
}
183+
184+
int callCountdownLength() {
185+
186+
int buf[6];
187+
188+
return countdownLength1(buf, 6);
189+
}
190+
191+
int countdownLength2() {
192+
int buf[6];
193+
int len = 6;
194+
int *p = buf;
195+
196+
if(len % 8) {
197+
return -1;
198+
}
199+
200+
while(len > 0) {
201+
p[0] = 0;
202+
p[1] = 1;
203+
p[2] = 2;
204+
p[3] = 3;
205+
p[4] = 4;
206+
p[5] = 5;
207+
p[6] = 6; // GOOD
208+
p[7] = 7; // GOOD
209+
p += 8;
210+
len -= 8;
211+
}
212+
213+
return p[5];
214+
}
215+
146216
void pointer_size_larger_than_array_element_size() {
147217
unsigned char buffer[100]; // getByteSize() = 100
148218
int *ptr = (int *)buffer; // pai.getElementSize() will be sizeof(int) = 4 -> size = 25

0 commit comments

Comments
 (0)