github
diff --git a/‎cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll‎
Lines changed: 131 additions & 33 deletions b/‎cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll‎
Lines changed: 131 additions & 33 deletions
diff --git a/‎cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/BadlyBoundedWrite.expected‎
Lines changed: 4 additions & 0 deletions b/‎cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/BadlyBoundedWrite.expected‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowBuffer.expected‎
Lines changed: 11 additions & 0 deletions b/‎cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowBuffer.expected‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/VeryLikelyOverrunWrite.expected‎
Lines changed: 1 addition & 0 deletions b/‎cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/VeryLikelyOverrunWrite.expected‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/tests.cpp‎
Lines changed: 1 addition & 1 deletion b/‎cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/tests.cpp‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/BadlyBoundedWrite.expected‎
Lines changed: 1 addition & 0 deletions b/‎cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/BadlyBoundedWrite.expected‎
Lines changed: 1 addition & 0 deletions
@@ -25,10 +25,24 @@ predicate memberMayBeVarSize(Class c, MemberVariable v) {
 }
 
 /**
- * Get the size in bytes of the buffer pointed to by an expression (if this can be determined).
+ * Gets the expression associated with `n`. Unlike `n.asExpr()` this also gets the
+ * expression underlying an indirect dataflow node.
  */
-language[monotonicAggregates]
-int getBufferSize(Expr bufferExpr, Element why) {
+private Expr getExpr(DataFlow::Node n, boolean isIndirect) {
+  result = n.asExpr() and isIndirect = false
+  or
+  result = n.asIndirectExpr() and isIndirect = true
+}
+
+private DataFlow::Node exprNode(Expr e, boolean isIndirect) { e = getExpr(result, isIndirect) }
+
+/**
+ * Holds if `bufferExpr` is an allocation-like expression.
+ *
+ * This includes both actual allocations, as well as various operations that return a pointer to
+ * stack-allocated objects.
+ */
+private int isSource(Expr bufferExpr, Element why) {
   exists(Variable bufferVar | bufferVar = bufferExpr.(VariableAccess).getTarget() |
     // buffer is a fixed size array
     result = bufferVar.getUnspecifiedType().(ArrayType).getSize() and
@@ -46,42 +60,12 @@ int getBufferSize(Expr bufferExpr, Element why) {
     ) and
     result = why.(Expr).getType().(ArrayType).getSize() and
     not exists(bufferVar.getUnspecifiedType().(ArrayType).getSize())
-    or
-    exists(Class parentClass, VariableAccess parentPtr, int bufferSize |
-      // buffer is the parentPtr->bufferVar of a 'variable size struct'
-      memberMayBeVarSize(parentClass, bufferVar) and
-      why = bufferVar and
-      parentPtr = bufferExpr.(VariableAccess).getQualifier() and
-      parentPtr.getTarget().getUnspecifiedType().(PointerType).getBaseType() = parentClass and
-      (
-        if exists(bufferVar.getType().getSize())
-        then bufferSize = bufferVar.getType().getSize()
-        else bufferSize = 0
-      ) and
-      result = getBufferSize(parentPtr, _) + bufferSize - parentClass.getSize()
-    )
   )
   or
   // buffer is a fixed size dynamic allocation
   result = bufferExpr.(AllocationExpr).getSizeBytes() and
   why = bufferExpr
   or
-  exists(DataFlow::ExprNode bufferExprNode |
-    // dataflow (all sources must be the same size)
-    bufferExprNode = DataFlow::exprNode(bufferExpr) and
-    result =
-      unique(Expr def |
-        DataFlow::localFlowStep(DataFlow::exprNode(def), bufferExprNode)
-      |
-        getBufferSize(def, _)
-      ) and
-    // find reason
-    exists(Expr def | DataFlow::localFlowStep(DataFlow::exprNode(def), bufferExprNode) |
-      why = def or
-      exists(getBufferSize(def, why))
-    )
-  )
-  or
   exists(Type bufferType |
     // buffer is the address of a variable
     why = bufferExpr.(AddressOfExpr).getAddressable() and
@@ -100,3 +84,117 @@ int getBufferSize(Expr bufferExpr, Element why) {
     result = bufferType.getSize()
   )
 }
+
+/** Holds if the value of `n2 + delta` may be equal to the value of `n1`. */
+private predicate localFlowIncrStep(DataFlow::Node n1, DataFlow::Node n2, int delta) {
+  DataFlow::localFlowStep(n1, n2) and
+  (
+    exists(IncrementOperation incr |
+      n1.asIndirectExpr() = incr.getOperand() and
+      delta = -1
+    )
+    or
+    exists(DecrementOperation decr |
+      n1.asIndirectExpr() = decr.getOperand() and
+      delta = 1
+    )
+    or
+    exists(AddExpr add, Expr e1, Expr e2 |
+      add.hasOperands(e1, e2) and
+      n1.asIndirectExpr() = e1 and
+      delta = -e2.getValue().toInt()
+    )
+    or
+    exists(SubExpr add, Expr e1, Expr e2 |
+      add.hasOperands(e1, e2) and
+      n1.asIndirectExpr() = e1 and
+      delta = e2.getValue().toInt()
+    )
+  )
+}
+
+/**
+ * Holds if `n1` may flow to `n2` without passing through any back-edges.
+ *
+ * Back-edges are excluded to prevent infinite loops on examples like:
+ * ```
+ * while(true) { ++n; }
+ * ```
+ * which, when used in `localFlowStepRec`, would create infinite loop that continuously
+ * increments the `delta` parameter.
+ */
+private predicate localFlowNotIncrStep(DataFlow::Node n1, DataFlow::Node n2) {
+  not localFlowIncrStep(n1, n2, _) and
+  DataFlow::localFlowStep(n1, n2) and
+  not n1 = n2.(DataFlow::SsaPhiNode).getAnInput(true)
+}
+
+private predicate localFlowToExprStep(DataFlow::Node n1, DataFlow::Node n2) {
+  not exists([n1.asExpr(), n1.asIndirectExpr()]) and
+  localFlowNotIncrStep(n1, n2)
+}
+
+/** Holds if `mid2 + delta` may be equal to `n1`. */
+private predicate localFlowStepRec0(DataFlow::Node n1, DataFlow::Node mid2, int delta) {
+  exists(DataFlow::Node mid1, int d1, int d2 |
+    // Or we take a number of steps that adds `d1` to the pointer
+    localFlowStepRec(n1, mid1, d1) and
+    // followed by a step that adds `d2` to the pointer
+    localFlowIncrStep(mid1, mid2, d2) and
+    delta = d1 + d2
+  )
+}
+
+/** Holds if `n2 + delta` may be equal to `n1`. */
+private predicate localFlowStepRec(DataFlow::Node n1, DataFlow::Node n2, int delta) {
+  // Either we take one or more steps that doesn't modify the size of the buffer
+  localFlowNotIncrStep+(n1, n2) and
+  delta = 0
+  or
+  exists(DataFlow::Node mid2 |
+    // Or we step from `n1` to `mid2 + delta`
+    localFlowStepRec0(n1, mid2, delta) and
+    // and finally to the next `ExprNode`.
+    localFlowToExprStep*(mid2, n2)
+  )
+}
+
+/**
+ * Holds if `e2` is an expression that is derived from `e1` such that if `e1[n]` is a
+ * well-defined expression for some number `n`, then `e2[n + delta]` is also a well-defined
+ * expression.
+ */
+private predicate step(Expr e1, Expr e2, int delta) {
+  exists(Variable bufferVar, Class parentClass, VariableAccess parentPtr, int bufferSize |
+    e1 = parentPtr
+  |
+    bufferVar = e2.(VariableAccess).getTarget() and
+    // buffer is the parentPtr->bufferVar of a 'variable size struct'
+    memberMayBeVarSize(parentClass, bufferVar) and
+    parentPtr = e2.(VariableAccess).getQualifier() and
+    parentPtr.getTarget().getUnspecifiedType().(PointerType).getBaseType() = parentClass and
+    (
+      if exists(bufferVar.getType().getSize())
+      then bufferSize = bufferVar.getType().getSize()
+      else bufferSize = 0
+    ) and
+    delta = bufferSize - parentClass.getSize()
+  )
+  or
+  exists(boolean isIndirect |
+    localFlowStepRec(exprNode(e1, isIndirect), exprNode(e2, isIndirect), delta)
+  )
+}
+
+/**
+ * Get the size in bytes of the buffer pointed to by an expression (if this can be determined).
+ */
+int getBufferSize(Expr bufferExpr, Element why) {
+  result = isSource(bufferExpr, why)
+  or
+  exists(Expr e0, int delta, int size |
+    size = getBufferSize(e0, why) and
+    delta = unique(int cand | step(e0, bufferExpr, cand) | cand) and
+    result = size + delta
+  )
+}
@@ -0,0 +1,4 @@
+| tests.cpp:350:13:350:19 | call to strncat | This 'call to strncat' operation is limited to 100 bytes but the destination is only 50 bytes. |
+| tests.cpp:452:9:452:15 | call to wcsncpy | This 'call to wcsncpy' operation is limited to 396 bytes but the destination is only 200 bytes. |
+| tests.cpp:481:9:481:16 | call to swprintf | This 'call to swprintf' operation is limited to 400 bytes but the destination is only 200 bytes. |
+| tests.cpp:630:13:630:20 | call to swprintf | This 'call to swprintf' operation is limited to 400 bytes but the destination is only 200 bytes. |
@@ -1,2 +1,13 @@
 | tests.cpp:45:9:45:14 | call to memcpy | This 'memcpy' operation accesses 32 bytes but the $@ is only 16 bytes. | tests.cpp:32:10:32:18 | charFirst | destination buffer |
 | tests.cpp:60:9:60:14 | call to memcpy | This 'memcpy' operation accesses 32 bytes but the $@ is only 16 bytes. | tests.cpp:32:10:32:18 | charFirst | destination buffer |
+| tests.cpp:171:9:171:14 | call to memcpy | This 'memcpy' operation accesses 100 bytes but the $@ is only 50 bytes. | tests.cpp:164:20:164:25 | call to malloc | destination buffer |
+| tests.cpp:172:9:172:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:164:20:164:25 | call to malloc | array |
+| tests.cpp:192:9:192:14 | call to memcpy | This 'memcpy' operation accesses 100 bytes but the $@ is only 50 bytes. | tests.cpp:181:10:181:22 | dataBadBuffer | destination buffer |
+| tests.cpp:193:9:193:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:181:10:181:22 | dataBadBuffer | array |
+| tests.cpp:212:9:212:14 | call to memcpy | This 'memcpy' operation accesses 100 bytes but the $@ is only 50 bytes. | tests.cpp:201:36:201:41 | call to alloca | destination buffer |
+| tests.cpp:213:9:213:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:201:36:201:41 | call to alloca | array |
+| tests.cpp:237:9:237:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:221:36:221:41 | call to alloca | array |
+| tests.cpp:261:9:261:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:245:10:245:22 | dataBadBuffer | array |
+| tests.cpp:384:9:384:14 | call to memcpy | This 'memcpy' operation accesses 40 bytes but the $@ is only 10 bytes. | tests.cpp:380:19:380:24 | call to alloca | destination buffer |
+| tests.cpp:434:9:434:19 | access to array | This array indexing operation accesses byte offset 399 but the $@ is only 200 bytes. | tests.cpp:422:12:422:26 | new[] | array |
+| tests.cpp:453:9:453:19 | access to array | This array indexing operation accesses byte offset 399 but the $@ is only 200 bytes. | tests.cpp:445:12:445:26 | new[] | array |
@@ -0,0 +1 @@
+| tests.cpp:668:9:668:14 | call to strcpy | This 'call to strcpy' operation requires 11 bytes but the destination is only 10 bytes. |
@@ -664,7 +664,7 @@ void CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_cpy_12_bad()
     }
     {
         char source[10+1] = SRC_STRING;
-        /* POTENTIAL FLAW: data may not have enough space to hold source */ // [NOT DETECTED]
+        /* POTENTIAL FLAW: data may not have enough space to hold source */
         strcpy(data, source);
         printLine(data);
     }
 
@@ -1 +1,2 @@
+| var_size_struct.cpp:73:3:73:9 | call to strncpy | This 'call to strncpy' operation is limited to 1025 bytes but the destination is only 1024 bytes. |
 | var_size_struct.cpp:103:3:103:9 | call to strncpy | This 'call to strncpy' operation is limited to 129 bytes but the destination is only 128 bytes. |
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| tests.cpp:668:9:668:14 \| call to strcpy \| This 'call to strcpy' operation requires 11 bytes but the destination is only 10 bytes. \|`
Original file line number	Diff line number	Diff line change
`@@ -664,7 +664,7 @@ void CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_cpy_12_bad()`
`664`	`664`	`}`
`665`	`665`	`{`
`666`	`666`	`char source[10+1] = SRC_STRING;`
`667`		`- /* POTENTIAL FLAW: data may not have enough space to hold source */ // [NOT DETECTED]`
	`667`	`+ /* POTENTIAL FLAW: data may not have enough space to hold source */`
`668`	`668`	`strcpy(data, source);`
`669`	`669`	`printLine(data);`
`670`	`670`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
	`1`	`+\| var_size_struct.cpp:73:3:73:9 \| call to strncpy \| This 'call to strncpy' operation is limited to 1025 bytes but the destination is only 1024 bytes. \|`
`1`	`2`	`\| var_size_struct.cpp:103:3:103:9 \| call to strncpy \| This 'call to strncpy' operation is limited to 129 bytes but the destination is only 128 bytes. \|`