CPP: Queries: Improve OverflowCalculated query.

geoffw0 · geoffw0 · commit 3c9432d7b7ba · 2019-11-22T15:19:00.000Z
diff --git a/cpp/ql/src/Critical/OverflowCalculated.ql b/cpp/ql/src/Critical/OverflowCalculated.ql
@@ -12,20 +12,13 @@
 
 import cpp
 import semmle.code.cpp.dataflow.DataFlow
-
-class MallocCall extends FunctionCall {
-  MallocCall() { this.getTarget().hasGlobalOrStdName("malloc") }
-
-  Expr getAllocatedSize() {
-    result = this.getArgument(0)
-  }
-}
+import semmle.code.cpp.models.interfaces.Allocation
 
 predicate spaceProblem(FunctionCall append, string msg) {
-  exists(MallocCall malloc, StrlenCall strlen, AddExpr add, FunctionCall insert, Variable buffer |
+  exists(AllocationExpr malloc, StrlenCall strlen, AddExpr add, FunctionCall insert, Variable buffer |
     add.getAChild() = strlen and
     exists(add.getAChild().getValue()) and
-    DataFlow::localExprFlow(add, malloc.getAllocatedSize()) and
+    DataFlow::localExprFlow(add, malloc.getSizeExpr()) and
     buffer.getAnAccess() = strlen.getStringExpr() and
     (
       insert.getTarget().hasGlobalOrStdName("strcpy") or
diff --git a/cpp/ql/test/query-tests/Critical/OverflowCalculated/NoSpaceForZeroTerminator.expected b/cpp/ql/test/query-tests/Critical/OverflowCalculated/NoSpaceForZeroTerminator.expected
@@ -1,5 +1,7 @@
 | tests1.cpp:26:21:26:26 | call to malloc | This allocation does not include space to null-terminate the string. |
+| tests1.cpp:56:21:56:27 | call to realloc | This allocation does not include space to null-terminate the string. |
 | tests1.cpp:67:21:67:26 | call to malloc | This allocation does not include space to null-terminate the string. |
 | tests1.cpp:89:25:89:30 | call to malloc | This allocation does not include space to null-terminate the string. |
 | tests3.cpp:25:21:25:31 | call to malloc | This allocation does not include space to null-terminate the string. |
 | tests3.cpp:30:21:30:31 | call to malloc | This allocation does not include space to null-terminate the string. |
+| tests3.cpp:53:17:53:44 | new[] | This allocation does not include space to null-terminate the string. |
diff --git a/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests1.cpp b/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests1.cpp
@@ -53,7 +53,7 @@ void tests1(int case_num)
 			break;
 
 		case 7:
-			buffer = (char *)realloc(buffer, strlen(str)); // BAD [NOT DETECTED]
+			buffer = (char *)realloc(buffer, strlen(str)); // BAD
 			strcpy(buffer, str);
 			break;
 
diff --git a/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests3.cpp b/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests3.cpp
@@ -50,7 +50,7 @@ void tests3(int case_num)
 
 void test3b()
 {
-	char *buffer = new char[strlen(str3global)]; // BAD [NOT DETECTED]
+	char *buffer = new char[strlen(str3global)]; // BAD
 
 	strcpy(buffer, str3global);
 

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ void tests3(int case_num)`
`50`	`50`
`51`	`51`	`void test3b()`
`52`	`52`	`{`
`53`		`- char *buffer = new char[strlen(str3global)]; // BAD [NOT DETECTED]`
	`53`	`+ char *buffer = new char[strlen(str3global)]; // BAD`
`54`	`54`
`55`	`55`	`strcpy(buffer, str3global);`
`56`	`56`