[CPP-434] Improved query and test suite.

zlaski-semmle · zlaski-semmle · commit 33cd6de72947 · 2019-10-10T18:11:35.000-07:00
diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql b/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
@@ -14,12 +14,17 @@
 import cpp
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 
+private predicate isSignedWithoutUnsignedCast(Expr e) {
+  e.getType().getUnspecifiedType().(IntegralType).isSigned() and
+  not e.getExplicitlyConverted().getType().getUnspecifiedType().(IntegralType).isUnsigned()
+}
+
 from RelationalOperation ro, AddExpr add, VariableAccess va1, VariableAccess va2
 where
   ro.getAnOperand() = add and
   add.getAnOperand() = va1 and
   ro.getAnOperand() = va2 and
   globalValueNumber(va1) = globalValueNumber(va2) and
-  add.getFullyConverted().getType().getUnspecifiedType().(IntegralType).isSigned() and
-  not add.getExplicitlyConverted().getType().getUnspecifiedType().(IntegralType).isUnsigned()
+  isSignedWithoutUnsignedCast(add) and
+  isSignedWithoutUnsignedCast(va2)
 select ro, "Testing for signed overflow may produce undefined results."
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/SignedOverflowCheck/SignedOverflowCheck.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/SignedOverflowCheck/SignedOverflowCheck.cpp
@@ -83,3 +83,22 @@ bool func1(se *so) {
 bool checkOverflow3(unsigned int a, unsigned short b) {
   return (a + b < a);  // GOOD
 }
+
+struct C {
+  unsigned int length;
+};
+
+int checkOverflow4(unsigned int ioff, C c) {
+  // not deleted by gcc or clang
+  if ((int)(ioff + c.length) < (int)ioff) return 0; // GOOD
+  return 1;
+}
+
+#define AV_INPUT_BUFFER_PADDING_SIZE 64
+
+int overflow12(int codecdata_length) {
+	if(codecdata_length + AV_INPUT_BUFFER_PADDING_SIZE <= (unsigned)codecdata_length) { // GOOD
+	  return -1;
+	}
+	return 1;
+}
