Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 3deff9c

Browse files
geoffw0geoffw0
committed
CPP: Fix in dataflow.
1 parent d51f870 commit 3deff9c

3 files changed

Lines changed: 6 additions & 3 deletions

File tree

cpp/ql/src/semmle/code/cpp/security/TaintTracking.qll

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,11 @@ predicate moveToDependingOnSide(Expr src, Expr dest) {
7575
and (base = binop.getLeftOperand() or base = binop.getRightOperand())
7676
and isPointer(base.getType())
7777
and base.getTarget() instanceof LocalScopeVariable
78-
and src = base)
78+
and src = base
79+
80+
// flow through pointer-pointer subtraction is dubious, the result should be
81+
// a number bounded by the size of the pointed-to thing.
82+
and not binop instanceof PointerDiffExpr)
7983
or exists (UnaryOperation unop |
8084
dest = unop
8185
and unop.getAnOperand() = src)

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,4 +4,3 @@
44
| test.cpp:49:17:49:30 | new[] | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
55
| test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
66
| test.cpp:55:11:55:24 | new[] | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
7-
| test.cpp:79:9:79:29 | new[] | This allocation size is derived from $@ and might overflow | test.cpp:97:18:97:23 | buffer | user input (fread) |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,7 @@ void processData2(char *start, char *end)
7676
{
7777
char *copy;
7878

79-
copy = new char[end - start]; // GOOD [FALSE POSITIVE]
79+
copy = new char[end - start]; // GOOD
8080

8181
// ...
8282

0 commit comments

Comments
 (0)