Merge pull request github#18222 from github/calumgrant/bmn/badly-bounded-write

jketema · web-flow · commit ee8ce1c84ded · 2024-12-06T19:50:06.000+01:00
C++: Fix FPs in cpp/badly-bounded-write caused by extraction errors
diff --git a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
@@ -25,7 +25,8 @@ from BufferWrite bw, int destSize
 where
   bw.hasExplicitLimit() and // has an explicit size limit
   destSize = max(getBufferSize(bw.getDest(), _)) and
-  bw.getExplicitLimit() > destSize // but it's larger than the destination
+  bw.getExplicitLimit() > destSize and // but it's larger than the destination
+  not bw.getDest().getType().stripType() instanceof ErroneousType // destSize may be incorrect
 select bw,
   "This '" + bw.getBWDesc() + "' operation is limited to " + bw.getExplicitLimit() +
     " bytes but the destination is only " + destSize + " bytes."
diff --git a/cpp/ql/src/change-notes/2024-12-05-badly-bounded-write.md b/cpp/ql/src/change-notes/2024-12-05-badly-bounded-write.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Badly bounded write" query (`cpp/badly-bounded-write`) no longer produces results if there is an extraction error in the type of the output buffer.
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/errors.c b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/errors.c
@@ -0,0 +1,11 @@
+// semmle-extractor-options: --expect_errors
+
+typedef unsigned long size_t;
+typedef int wchar_t;
+
+int swprintf(wchar_t *s, size_t n, const wchar_t *format, ...);
+
+void test_extraction_errors() {
+    WCHAR buffer[3];
+    swprintf(buffer, 3, L"abc");
+}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The "Badly bounded write" query (`cpp/badly-bounded-write`) no longer produces results if there is an extraction error in the type of the output buffer.