CPP: Queries: Improve NoSpaceForZeroTerminator query.

geoffw0 · geoffw0 · commit 3895a7e1f034 · 2019-11-22T15:27:08.000Z
diff --git a/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql b/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
@@ -17,16 +17,11 @@
 import cpp
 import semmle.code.cpp.dataflow.DataFlow
 import semmle.code.cpp.models.interfaces.ArrayFunction
+import semmle.code.cpp.models.interfaces.Allocation
 
-class MallocCall extends FunctionCall {
-  MallocCall() { this.getTarget().hasGlobalOrStdName("malloc") }
-
-  Expr getAllocatedSize() { result = this.getArgument(0) }
-}
-
-predicate terminationProblem(MallocCall malloc, string msg) {
+predicate terminationProblem(AllocationExpr malloc, string msg) {
   // malloc(strlen(...))
-  exists(StrlenCall strlen | DataFlow::localExprFlow(strlen, malloc.getAllocatedSize())) and
+  exists(StrlenCall strlen | DataFlow::localExprFlow(strlen, malloc.getSizeExpr())) and
   // flows into a null-terminated string function
   exists(ArrayFunction af, FunctionCall fc, int arg |
     DataFlow::localExprFlow(malloc, fc.getArgument(arg)) and
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-131/semmle/NoSpaceForZeroTerminator/NoSpaceForZeroTerminator.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-131/semmle/NoSpaceForZeroTerminator/NoSpaceForZeroTerminator.expected
@@ -1,6 +1,9 @@
+| test2.cpp:64:34:64:39 | call to calloc | This allocation does not include space to null-terminate the string. |
+| test2.cpp:71:28:71:34 | call to realloc | This allocation does not include space to null-terminate the string. |
 | test.c:16:20:16:25 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.c:32:20:32:25 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.c:49:20:49:25 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.cpp:24:35:24:40 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.cpp:63:28:63:33 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.cpp:71:28:71:33 | call to malloc | This allocation does not include space to null-terminate the string. |
+| test.cpp:106:24:106:48 | new[] | This allocation does not include space to null-terminate the string. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-131/semmle/NoSpaceForZeroTerminator/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-131/semmle/NoSpaceForZeroTerminator/test.cpp
@@ -102,7 +102,7 @@ void good2(char *str, char *dest) {
 }
 
 void bad9(wchar_t *wstr) {
-    // BAD -- using new [NOT DETECTED]
+    // BAD -- using new
     wchar_t *wbuffer = new wchar_t[wcslen(wstr)];
     wcscpy(wbuffer, wstr);
     delete wbuffer;
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-131/semmle/NoSpaceForZeroTerminator/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-131/semmle/NoSpaceForZeroTerminator/test2.cpp
@@ -60,14 +60,14 @@ void bad2(wchar_t *str) {
 }
 
 void bad3(wchar_t *str) {
-    // BAD -- Not allocating space for '\0' terminator [NOT DETECTED]
+    // BAD -- Not allocating space for '\0' terminator
     wchar_t *buffer = (wchar_t *)calloc(sizeof(wchar_t), wcslen(str));
     wcscpy(buffer, str);
     free(buffer);
 }
 
 void bad4(char *str) {
-    // BAD -- Not allocating space for '\0' terminator [NOT DETECTED]
+    // BAD -- Not allocating space for '\0' terminator
     char *buffer = (char *)realloc(0, strlen(str));
     strcpy(buffer, str);
     free(buffer);

Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,7 @@ void good2(char str, char dest) {`
`102`	`102`	`}`
`103`	`103`
`104`	`104`	`void bad9(wchar_t *wstr) {`
`105`		`- // BAD -- using new [NOT DETECTED]`
	`105`	`+ // BAD -- using new`
`106`	`106`	`wchar_t *wbuffer = new wchar_t[wcslen(wstr)];`
`107`	`107`	`wcscpy(wbuffer, wstr);`
`108`	`108`	`delete wbuffer;`