C++: fix cxartesian product in constant off-by-one query

rdmarsh2 · rdmarsh2 · commit bf07b0f97b19 · 2023-05-19T18:32:09.000-04:00
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
@@ -87,6 +87,18 @@ predicate pointerArithOverflow(
   delta = bound - size
 }
 
+module PointerArithmeticToDerefConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    pointerArithOverflow(source.asInstruction(), _, _, _, _)
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    isInvalidPointerDerefSink1(sink, _, _)
+  }
+}
+
+module PointerArithmeticToDerefFlow = DataFlow::Global<PointerArithmeticToDerefConfig>;
+
 module FieldAddressToDerefConfig implements DataFlow::StateConfigSig {
   newtype FlowState =
     additional TArray(Field f) { pointerArithOverflow(_, f, _, _, _) } or
@@ -101,9 +113,12 @@ module FieldAddressToDerefConfig implements DataFlow::StateConfigSig {
     )
   }
 
+  pragma[inline]
   predicate isSink(DataFlow::Node sink, FlowState state) {
-    isInvalidPointerDerefSink1(sink, _, _) and
-    state instanceof TOverflowArithmetic
+    exists(DataFlow::Node pai |
+      state = TOverflowArithmetic(pai.asInstruction()) and
+      PointerArithmeticToDerefFlow::flow(pai, sink)
+    )
   }
 
   predicate isBarrier(DataFlow::Node node, FlowState state) { none() }
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected
@@ -1,72 +1,33 @@
 edges
-| test.cpp:26:10:26:12 | buf | test.cpp:26:5:26:12 | buf |
-| test.cpp:30:10:30:12 | buf | test.cpp:30:5:30:12 | buf |
-| test.cpp:34:10:34:12 | buf | test.cpp:34:5:34:12 | buf |
-| test.cpp:35:5:35:12 | buf | test.cpp:35:5:35:22 | access to array |
-| test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:12 | buf |
-| test.cpp:36:5:36:12 | buf | test.cpp:36:5:36:24 | access to array |
-| test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:12 | buf |
-| test.cpp:39:14:39:16 | buf | test.cpp:39:9:39:16 | buf |
-| test.cpp:43:9:43:16 | buf | test.cpp:43:9:43:19 | access to array |
-| test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:16 | buf |
-| test.cpp:48:10:48:12 | buf | test.cpp:48:5:48:12 | buf |
-| test.cpp:49:5:49:12 | buf | test.cpp:49:5:49:22 | access to array |
-| test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:12 | buf |
-| test.cpp:50:5:50:12 | buf | test.cpp:50:5:50:24 | access to array |
-| test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:12 | buf |
-| test.cpp:53:14:53:16 | buf | test.cpp:53:9:53:16 | buf |
-| test.cpp:57:9:57:16 | buf | test.cpp:57:9:57:19 | access to array |
-| test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:16 | buf |
-| test.cpp:61:9:61:16 | buf | test.cpp:61:9:61:19 | access to array |
-| test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:16 | buf |
+| test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array |
+| test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:24 | access to array |
+| test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:19 | access to array |
+| test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:22 | access to array |
+| test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array |
+| test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array |
+| test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array |
 | test.cpp:66:32:66:32 | p | test.cpp:66:32:66:32 | p |
 | test.cpp:66:32:66:32 | p | test.cpp:67:5:67:6 | * ... |
 | test.cpp:66:32:66:32 | p | test.cpp:67:6:67:6 | p |
-| test.cpp:70:33:70:33 | p | test.cpp:71:5:71:5 | p |
-| test.cpp:70:33:70:33 | p | test.cpp:72:5:72:5 | p |
-| test.cpp:72:5:72:5 | p | test.cpp:72:5:72:15 | access to array |
-| test.cpp:76:32:76:34 | buf | test.cpp:76:27:76:34 | buf |
+| test.cpp:70:33:70:33 | p | test.cpp:72:5:72:15 | access to array |
 | test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p |
 | test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p |
-| test.cpp:77:27:77:34 | buf | test.cpp:77:27:77:44 | access to array |
-| test.cpp:77:27:77:44 | access to array | test.cpp:77:26:77:44 | & ... |
-| test.cpp:77:32:77:34 | buf | test.cpp:77:27:77:34 | buf |
+| test.cpp:77:32:77:34 | buf | test.cpp:77:26:77:44 | & ... |
 | test.cpp:79:27:79:34 | buf | test.cpp:70:33:70:33 | p |
 | test.cpp:79:32:79:34 | buf | test.cpp:79:27:79:34 | buf |
-| test.cpp:85:34:85:36 | buf | test.cpp:87:5:87:11 | charBuf |
-| test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:11 | charBuf |
 nodes
-| test.cpp:26:5:26:12 | buf | semmle.label | buf |
-| test.cpp:26:10:26:12 | buf | semmle.label | buf |
-| test.cpp:30:5:30:12 | buf | semmle.label | buf |
-| test.cpp:30:10:30:12 | buf | semmle.label | buf |
-| test.cpp:34:5:34:12 | buf | semmle.label | buf |
-| test.cpp:34:10:34:12 | buf | semmle.label | buf |
-| test.cpp:35:5:35:12 | buf | semmle.label | buf |
 | test.cpp:35:5:35:22 | access to array | semmle.label | access to array |
 | test.cpp:35:10:35:12 | buf | semmle.label | buf |
-| test.cpp:36:5:36:12 | buf | semmle.label | buf |
 | test.cpp:36:5:36:24 | access to array | semmle.label | access to array |
 | test.cpp:36:10:36:12 | buf | semmle.label | buf |
-| test.cpp:39:9:39:16 | buf | semmle.label | buf |
-| test.cpp:39:14:39:16 | buf | semmle.label | buf |
-| test.cpp:43:9:43:16 | buf | semmle.label | buf |
 | test.cpp:43:9:43:19 | access to array | semmle.label | access to array |
 | test.cpp:43:14:43:16 | buf | semmle.label | buf |
-| test.cpp:48:5:48:12 | buf | semmle.label | buf |
-| test.cpp:48:10:48:12 | buf | semmle.label | buf |
-| test.cpp:49:5:49:12 | buf | semmle.label | buf |
 | test.cpp:49:5:49:22 | access to array | semmle.label | access to array |
 | test.cpp:49:10:49:12 | buf | semmle.label | buf |
-| test.cpp:50:5:50:12 | buf | semmle.label | buf |
 | test.cpp:50:5:50:24 | access to array | semmle.label | access to array |
 | test.cpp:50:10:50:12 | buf | semmle.label | buf |
-| test.cpp:53:9:53:16 | buf | semmle.label | buf |
-| test.cpp:53:14:53:16 | buf | semmle.label | buf |
-| test.cpp:57:9:57:16 | buf | semmle.label | buf |
 | test.cpp:57:9:57:19 | access to array | semmle.label | access to array |
 | test.cpp:57:14:57:16 | buf | semmle.label | buf |
-| test.cpp:61:9:61:16 | buf | semmle.label | buf |
 | test.cpp:61:9:61:19 | access to array | semmle.label | access to array |
 | test.cpp:61:14:61:16 | buf | semmle.label | buf |
 | test.cpp:66:32:66:32 | p | semmle.label | p |
@@ -75,31 +36,22 @@ nodes
 | test.cpp:67:5:67:6 | * ... | semmle.label | * ... |
 | test.cpp:67:6:67:6 | p | semmle.label | p |
 | test.cpp:70:33:70:33 | p | semmle.label | p |
-| test.cpp:71:5:71:5 | p | semmle.label | p |
-| test.cpp:72:5:72:5 | p | semmle.label | p |
 | test.cpp:72:5:72:15 | access to array | semmle.label | access to array |
-| test.cpp:76:27:76:34 | buf | semmle.label | buf |
-| test.cpp:76:32:76:34 | buf | semmle.label | buf |
 | test.cpp:77:26:77:44 | & ... | semmle.label | & ... |
-| test.cpp:77:27:77:34 | buf | semmle.label | buf |
-| test.cpp:77:27:77:44 | access to array | semmle.label | access to array |
 | test.cpp:77:32:77:34 | buf | semmle.label | buf |
 | test.cpp:79:27:79:34 | buf | semmle.label | buf |
 | test.cpp:79:32:79:34 | buf | semmle.label | buf |
-| test.cpp:85:34:85:36 | buf | semmle.label | buf |
-| test.cpp:87:5:87:11 | charBuf | semmle.label | charBuf |
-| test.cpp:88:5:88:11 | charBuf | semmle.label | charBuf |
 subpaths
 #select
-| test.cpp:35:5:35:22 | access to array | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write |
-| test.cpp:36:5:36:24 | access to array | test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:36:5:36:28 | Store: ... = ... | write |
-| test.cpp:43:9:43:19 | access to array | test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:43:9:43:23 | Store: ... = ... | write |
-| test.cpp:49:5:49:22 | access to array | test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:49:5:49:26 | Store: ... = ... | write |
-| test.cpp:50:5:50:24 | access to array | test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:50:5:50:28 | Store: ... = ... | write |
-| test.cpp:57:9:57:19 | access to array | test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:57:9:57:23 | Store: ... = ... | write |
-| test.cpp:61:9:61:19 | access to array | test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write |
-| test.cpp:72:5:72:15 | access to array | test.cpp:79:32:79:34 | buf | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write |
-| test.cpp:77:27:77:44 | access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
-| test.cpp:77:27:77:44 | access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
-| test.cpp:77:27:77:44 | access to array | test.cpp:77:32:77:34 | buf | test.cpp:67:5:67:6 | * ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
-| test.cpp:77:27:77:44 | access to array | test.cpp:77:32:77:34 | buf | test.cpp:67:6:67:6 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
+| test.cpp:35:5:35:22 | PointerAdd: access to array | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write |
+| test.cpp:36:5:36:24 | PointerAdd: access to array | test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:36:5:36:28 | Store: ... = ... | write |
+| test.cpp:43:9:43:19 | PointerAdd: access to array | test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:43:9:43:23 | Store: ... = ... | write |
+| test.cpp:49:5:49:22 | PointerAdd: access to array | test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:49:5:49:26 | Store: ... = ... | write |
+| test.cpp:50:5:50:24 | PointerAdd: access to array | test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:50:5:50:28 | Store: ... = ... | write |
+| test.cpp:57:9:57:19 | PointerAdd: access to array | test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:57:9:57:23 | Store: ... = ... | write |
+| test.cpp:61:9:61:19 | PointerAdd: access to array | test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write |
+| test.cpp:72:5:72:15 | PointerAdd: access to array | test.cpp:79:32:79:34 | buf | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write |
+| test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
+| test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
+| test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:67:5:67:6 | * ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
+| test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:67:6:67:6 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
