Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 4a27028

Browse files
jketemajketema
committed
C++: Remove cpp/invalid-pointer-deref results duplicating ones with smaller k 
1 parent 90f0209 commit 4a27028

2 files changed

Lines changed: 10 additions & 7 deletions

File tree

cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -377,15 +377,19 @@ predicate hasFlowPath(
377377
}
378378

379379
from
380-
MergedPathNode source, MergedPathNode sink, int k2, int k3, string kstr,
381-
InvalidPointerToDerefFlow::PathNode source3, PointerArithmeticInstruction pai, string operation,
382-
Expr offset, DataFlow::Node n
380+
MergedPathNode source, MergedPathNode sink, int k, string kstr, PointerArithmeticInstruction pai,
381+
string operation, Expr offset, DataFlow::Node n
383382
where
384-
hasFlowPath(source, sink, source3, pai, operation, k3) and
385-
invalidPointerToDerefSource(pai, source3.getNode(), k2) and
383+
k =
384+
min(int k2, int k3, InvalidPointerToDerefFlow::PathNode source3 |
385+
hasFlowPath(source, sink, source3, pai, operation, k3) and
386+
invalidPointerToDerefSource(pai, source3.getNode(), k2)
387+
|
388+
k2 + k3
389+
) and
386390
offset = pai.getRight().getUnconvertedResultExpression() and
387391
n = source.asPathNode1().getNode() and
388-
if (k2 + k3) = 0 then kstr = "" else kstr = " + " + (k2 + k3)
392+
if k = 0 then kstr = "" else kstr = " + " + k
389393
select sink, source, sink,
390394
"This " + operation + " might be out of bounds, as the pointer might be equal to $@ + $@" + kstr +
391395
".", n, n.toString(), offset, offset.toString()

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1128,5 +1128,4 @@ subpaths
11281128
| test.cpp:358:14:358:26 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:358:14:358:26 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
11291129
| test.cpp:359:14:359:32 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:359:14:359:32 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 2. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
11301130
| test.cpp:372:15:372:16 | Load: * ... | test.cpp:363:14:363:27 | new[] | test.cpp:372:15:372:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:363:14:363:27 | new[] | new[] | test.cpp:365:19:365:22 | size | size |
1131-
| test.cpp:384:13:384:16 | Load: * ... | test.cpp:377:14:377:27 | new[] | test.cpp:384:13:384:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:377:14:377:27 | new[] | new[] | test.cpp:378:20:378:23 | size | size |
11321131
| test.cpp:384:13:384:16 | Load: * ... | test.cpp:377:14:377:27 | new[] | test.cpp:384:13:384:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:377:14:377:27 | new[] | new[] | test.cpp:378:20:378:23 | size | size |

0 commit comments

Comments
 (0)