add bitwise complement

GrosQuildu · GrosQuildu · commit 71d528ffac7e · 2025-04-04T13:20:21.000+02:00
diff --git a/cpp/src/security/UnsafeImplicitConversions/UnsafeImplicitConversions.ql b/cpp/src/security/UnsafeImplicitConversions/UnsafeImplicitConversions.ql
@@ -34,7 +34,7 @@ predicate safeBounds(Expr cast, IntegralType toType) {
 }
 
 
-from IntegralConversion cast, IntegralType fromType, IntegralType toType
+from IntegralConversion cast, IntegralType fromType, IntegralType toType, boolean checkBounds, string problemType
 where
     cast.isImplicit()
     and fromType = cast.getExpr().getExplicitlyConverted().getUnspecifiedType()
@@ -43,27 +43,53 @@ where
 
     and (
         // truncation
-        fromType.getSize() > toType.getSize()
+        (
+            problemType = "truncation"
+            and fromType.getSize() > toType.getSize()
+            and checkBounds = true
+        )
         or
         // reinterpretation
         (
-            fromType.getSize() = toType.getSize()
+            problemType = "reinterpretation"
+            and fromType.getSize() = toType.getSize()
             and
             (
                 (fromType.isUnsigned() and toType.isSigned())
                 or
                 (fromType.isSigned() and toType.isUnsigned())
             )
+            and checkBounds = true
         )
         or
         // widening
         (
-            fromType.getSize() < toType.getSize() and fromType.isSigned() and toType.isUnsigned()
+            fromType.getSize() < toType.getSize()
+            and
+            (
+                (
+                    problemType = "widening"
+                    and fromType.isSigned() and toType.isUnsigned()
+                    and checkBounds = true
+                )
+                or
+                // unsafe promotion
+                (
+                    problemType = "promotion with bitwise complement"
+                    and exists(ComplementExpr complement |
+                        complement.getOperand().getConversion*() = cast
+                    )
+                    and checkBounds = false
+                )
+            )
         )
     )
     
-    // skip if value is in safe range
-    and not safeBounds(cast.getExpr(), toType)
+    // skip if value is in safe range, except for ~ (complement)
+    and (
+        checkBounds = true implies
+        not safeBounds(cast.getExpr(), toType)
+    )
 
     and not (
         // skip conversions in arithmetic operations
@@ -93,4 +119,4 @@ where
         or
         exists(FunctionAccess fc | fc.getTarget() = cast.getEnclosingFunction())
     )
-select cast, "Implicit cast from " + fromType + " to " + toType + "; bounds are [" + lowerBound(cast.getExpr())+ "; " + upperBound(cast.getExpr()) + "]"
+select cast, "Implicit cast from " + fromType + " to " + toType + " (" + problemType + "), bounds are [" + lowerBound(cast.getExpr())+ "; " + upperBound(cast.getExpr()) + "]"
diff --git a/cpp/test/query-tests/security/UnsafeImplicitConversions/UnsafeImplicitConversions.expected b/cpp/test/query-tests/security/UnsafeImplicitConversions/UnsafeImplicitConversions.expected
@@ -1,23 +1,26 @@
-| test.cpp:72:17:72:21 | (int)... | Implicit cast from unsigned long to int; bounds are [4294967297; 4294967297] |
-| test.cpp:73:20:73:24 | (int)... | Implicit cast from unsigned long to int; bounds are [4294967297; 4294967297] |
-| test.cpp:74:23:74:27 | (int)... | Implicit cast from unsigned long to int; bounds are [4294967297; 4294967297] |
-| test.cpp:75:28:75:32 | (int)... | Implicit cast from unsigned long to int; bounds are [4294967297; 4294967297] |
-| test.cpp:80:36:80:40 | (int)... | Implicit cast from unsigned long to int; bounds are [0; 18446744073709551616] |
-| test.cpp:88:17:88:21 | (int)... | Implicit cast from unsigned long to int; bounds are [4294967297; 4294967297] |
-| test.cpp:94:17:94:21 | (unsigned int)... | Implicit cast from unsigned long to unsigned int; bounds are [4294967297; 4294967297] |
-| test.cpp:100:17:100:21 | (unsigned int)... | Implicit cast from unsigned long to unsigned int; bounds are [4294967297; 4294967297] |
-| test.cpp:106:17:106:21 | (int)... | Implicit cast from long to int; bounds are [4294967297; 4294967297] |
-| test.cpp:114:17:114:17 | (int)... | Implicit cast from unsigned long to int; bounds are [0; 18446744073709551616] |
-| test.cpp:121:17:121:21 | (int)... | Implicit cast from unsigned int to int; bounds are [0; 4294967295] |
-| test.cpp:121:28:121:28 | (int)... | Implicit cast from unsigned int to int; bounds are [0; 4294967295] |
-| test.cpp:127:17:127:21 | (unsigned short)... | Implicit cast from unsigned long to unsigned short; bounds are [4294967297; 4294967297] |
-| test.cpp:133:17:133:21 | (int)... | Implicit cast from unsigned long to int; bounds are [4294967297; 4294967297] |
-| test.cpp:140:17:140:18 | (unsigned short)... | Implicit cast from unsigned long to unsigned short; bounds are [0; 18446744073709551616] |
-| test.cpp:146:17:146:21 | (int)... | Implicit cast from unsigned int to int; bounds are [4294967295; 4294967295] |
-| test.cpp:151:17:151:26 | (int)... | Implicit cast from unsigned int to int; bounds are [2147484985; 2147484985] |
-| test.cpp:157:17:157:21 | (unsigned int)... | Implicit cast from long to unsigned int; bounds are [-1; -1] |
-| test.cpp:163:17:163:50 | (uint16_t)... | Implicit cast from int to unsigned short; bounds are [-51956; -51956] |
-| test.cpp:264:12:264:65 | (unsigned int)... | Implicit cast from int to unsigned int; bounds are [-2147483648; 2147483647] |
-| test.cpp:270:16:270:31 | (size_t)... | Implicit cast from int to unsigned long; bounds are [-2147483648; 2147483647] |
-| test.cpp:271:14:271:14 | (int)... | Implicit cast from unsigned long to int; bounds are [0; 18446744073709551616] |
-| test.cpp:289:18:289:18 | (int)... | Implicit cast from unsigned long to int; bounds are [0; 18446744073709551616] |
+| test.cpp:72:17:72:21 | (int)... | Implicit cast from unsigned long to int (truncation), bounds are [4294967297; 4294967297] |
+| test.cpp:73:20:73:24 | (int)... | Implicit cast from unsigned long to int (truncation), bounds are [4294967297; 4294967297] |
+| test.cpp:74:23:74:27 | (int)... | Implicit cast from unsigned long to int (truncation), bounds are [4294967297; 4294967297] |
+| test.cpp:75:28:75:32 | (int)... | Implicit cast from unsigned long to int (truncation), bounds are [4294967297; 4294967297] |
+| test.cpp:80:36:80:40 | (int)... | Implicit cast from unsigned long to int (truncation), bounds are [0; 18446744073709551616] |
+| test.cpp:88:17:88:21 | (int)... | Implicit cast from unsigned long to int (truncation), bounds are [4294967297; 4294967297] |
+| test.cpp:94:17:94:21 | (unsigned int)... | Implicit cast from unsigned long to unsigned int (truncation), bounds are [4294967297; 4294967297] |
+| test.cpp:100:17:100:21 | (unsigned int)... | Implicit cast from unsigned long to unsigned int (truncation), bounds are [4294967297; 4294967297] |
+| test.cpp:106:17:106:21 | (int)... | Implicit cast from long to int (truncation), bounds are [4294967297; 4294967297] |
+| test.cpp:114:17:114:17 | (int)... | Implicit cast from unsigned long to int (truncation), bounds are [0; 18446744073709551616] |
+| test.cpp:121:17:121:21 | (int)... | Implicit cast from unsigned int to int (reinterpretation), bounds are [0; 4294967295] |
+| test.cpp:121:28:121:28 | (int)... | Implicit cast from unsigned int to int (reinterpretation), bounds are [0; 4294967295] |
+| test.cpp:127:17:127:21 | (unsigned short)... | Implicit cast from unsigned long to unsigned short (truncation), bounds are [4294967297; 4294967297] |
+| test.cpp:133:17:133:21 | (int)... | Implicit cast from unsigned long to int (truncation), bounds are [4294967297; 4294967297] |
+| test.cpp:140:17:140:18 | (unsigned short)... | Implicit cast from unsigned long to unsigned short (truncation), bounds are [0; 18446744073709551616] |
+| test.cpp:146:17:146:21 | (int)... | Implicit cast from unsigned int to int (reinterpretation), bounds are [4294967295; 4294967295] |
+| test.cpp:151:17:151:26 | (int)... | Implicit cast from unsigned int to int (reinterpretation), bounds are [2147484985; 2147484985] |
+| test.cpp:157:17:157:21 | (unsigned int)... | Implicit cast from long to unsigned int (truncation), bounds are [-1; -1] |
+| test.cpp:163:17:163:50 | (uint16_t)... | Implicit cast from int to unsigned short (truncation), bounds are [-51956; -51956] |
+| test.cpp:170:24:170:24 | (unsigned int)... | Implicit cast from short to unsigned int (widening), bounds are [-2; -2] |
+| test.cpp:176:18:176:20 | (int)... | Implicit cast from unsigned short to int (promotion with bitwise complement), bounds are [19; 19] |
+| test.cpp:277:12:277:65 | (unsigned int)... | Implicit cast from int to unsigned int (reinterpretation), bounds are [-2147483648; 2147483647] |
+| test.cpp:283:16:283:31 | (size_t)... | Implicit cast from int to unsigned long (widening), bounds are [-2147483648; 2147483647] |
+| test.cpp:284:14:284:14 | (int)... | Implicit cast from unsigned long to int (truncation), bounds are [0; 18446744073709551616] |
+| test.cpp:302:18:302:18 | (int)... | Implicit cast from unsigned long to int (truncation), bounds are [0; 18446744073709551616] |
+| test.cpp:308:35:308:37 | (int)... | Implicit cast from unsigned short to int (promotion with bitwise complement), bounds are [19; 19] |
diff --git a/cpp/test/query-tests/security/UnsafeImplicitConversions/test.cpp b/cpp/test/query-tests/security/UnsafeImplicitConversions/test.cpp
@@ -163,6 +163,19 @@ void test15() {
     test_func_9((uint16_t)large - (uint16_t)0xcafe);
 }
 
+// Implicit widening in usual arithmetic conversions
+void test16() {
+    short a = -2;
+    unsigned int b = 0x13;
+    unsigned short c = a & b;
+}
+
+// Implicit type promotion with binary complement
+void test17() {
+    unsigned short val = 0x13;
+    int val2 = (~val) >> 3;
+}
+
 
 /*
  * Tests for False Positives
@@ -267,8 +280,8 @@ unsigned int complex_const(void) {
 
 int test_fp11(int argc, size_t c) {
     int a = argc * 2;
-    size_t b = max_int(1500, a);
-    int h2 = c;
+    size_t b = max_int(1500, a);  // ok but reported (Value Range Analysis limitation)
+    int h2 = c;    // ok but reported (Value Range Analysis limitation)
     if (h2 > 0) {
         c = 44;
         int w = c;
@@ -286,10 +299,35 @@ int test_fp11(int argc, size_t c) {
     c = (c + 3) & ~3 | 0xf;
     b += c;
 
-    int result = b; // ok, b's upper bound is known
+    int result = b;  // ok but reported (Value Range Analysis limitation)
     return result;
 }
 
+void test_fp12() {
+    unsigned short val = 0x13;
+    int val2 = (unsigned short) (~val) >> 3; // TODO: exclude explicit conversions
+}
+
+void test_fp13() {
+    unsigned short val = 0x13;
+    int val2 = -val;
+}
+
+void test_fp14() {
+    uint64_t large = (uint64_t)0x100000001;
+    test_func_1((int)large);
+    test_func_1(static_cast<int>(large));
+    test_func_1(int{large});
+}
+
+void test_fp15() {
+    short a = -2;
+    unsigned int b = 0x13;
+    unsigned short c = (unsigned int)a & b;
+}
+
+
+
 int main(int argc, char **argv) {
     uint64_t large;
     large = 0x100000001;
@@ -309,6 +347,8 @@ int main(int argc, char **argv) {
     test13();
     test14();
     test15();
+    test16();
+    test17();
 
     test_fp1(large);
     test_fp2();
@@ -324,6 +364,11 @@ int main(int argc, char **argv) {
     // reported, because Value Range Analysis limitations
     test_fp11(argc, 22);
     test_fp11(argc, argc);
+
+    test_fp12();
+    test_fp13();
+    test_fp14();
+    test_fp15();
     
     return 0;
 }
