@@ -14,64 +14,71 @@ import cpp
1414import semmle.code.cpp.dataflow.DataFlow
1515
1616predicate isStringComparisonFunction ( string functionName ) {
17- functionName = "strcpy"
18- or functionName = "wcscpy"
19- or functionName = "_mbscpy"
20- or functionName = "strncpy"
21- or functionName = "_strncpy_l"
22- or functionName = "wcsncpy"
23- or functionName = "_wcsncpy_l"
24- or functionName = "_mbsncpy"
25- or functionName = "_mbsncpy_l"
17+ functionName = "strcpy" or
18+ functionName = "wcscpy" or
19+ functionName = "_mbscpy" or
20+ functionName = "strncpy" or
21+ functionName = "_strncpy_l" or
22+ functionName = "wcsncpy" or
23+ functionName = "_wcsncpy_l" or
24+ functionName = "_mbsncpy" or
25+ functionName = "_mbsncpy_l"
2626}
2727
28- predicate isBoolean ( Expr e1 )
29- {
30- exists ( Type t1 |
28+ predicate isBoolean ( Expr e1 ) {
29+ exists ( Type t1 |
3130 t1 = e1 .getType ( ) and
3231 ( t1 .hasName ( "bool" ) or t1 .hasName ( "BOOL" ) or t1 .hasName ( "_Bool" ) )
3332 )
3433}
3534
36- predicate isStringCopyCastedAsBoolean ( FunctionCall func , Expr expr1 , string msg ) {
37- DataFlow:: localFlow ( DataFlow:: exprNode ( func ) , DataFlow:: exprNode ( expr1 ) )
38- and isBoolean ( expr1 .getConversion * ( ) )
39- and isStringComparisonFunction ( func .getTarget ( ) .getQualifiedName ( ) )
40- and msg = "Return Value of " + func .getTarget ( ) .getQualifiedName ( ) + " used as boolean."
35+ predicate isStringCopyCastedAsBoolean ( FunctionCall func , Expr expr1 , string msg ) {
36+ DataFlow:: localFlow ( DataFlow:: exprNode ( func ) , DataFlow:: exprNode ( expr1 ) ) and
37+ isBoolean ( expr1 .getConversion * ( ) ) and
38+ isStringComparisonFunction ( func .getTarget ( ) .getQualifiedName ( ) ) and
39+ msg = "Return Value of " + func .getTarget ( ) .getQualifiedName ( ) + " used as boolean."
4140}
4241
43- predicate isStringCopyUsedInLogicalOperationOrCondition ( FunctionCall func , Expr expr1 , string msg ) {
44- isStringComparisonFunction ( func .getTarget ( ) .getQualifiedName ( ) )
45- and ( ( (
46- // it is being used in an equality or logical operation
47- exists ( EqualityOperation eop |
48- eop = expr1
49- and func = eop .getAChild ( )
50- )
51- or exists ( UnaryLogicalOperation ule |
52- expr1 = ule
53- and func = ule .getAChild ( )
54- )
55- or exists ( BinaryLogicalOperation ble |
56- expr1 = ble
57- and func = ble .getAChild ( )
58- )
59- )
60- and msg = "Return Value of " + func .getTarget ( ) .getQualifiedName ( ) + " used in a logical operation."
42+ predicate isStringCopyUsedInLogicalOperationOrCondition ( FunctionCall func , Expr expr1 , string msg ) {
43+ isStringComparisonFunction ( func .getTarget ( ) .getQualifiedName ( ) ) and
44+ (
45+ (
46+ (
47+ // it is being used in an equality or logical operation
48+ exists ( EqualityOperation eop |
49+ eop = expr1 and
50+ func = eop .getAChild ( )
51+ )
52+ or
53+ exists ( UnaryLogicalOperation ule |
54+ expr1 = ule and
55+ func = ule .getAChild ( )
56+ )
57+ or
58+ exists ( BinaryLogicalOperation ble |
59+ expr1 = ble and
60+ func = ble .getAChild ( )
61+ )
62+ ) and
63+ msg = "Return Value of " + func .getTarget ( ) .getQualifiedName ( ) +
64+ " used in a logical operation."
6165 )
6266 or
63- exists ( ConditionalStmt condstmt |
64- condstmt .getAChild ( ) = expr1 |
67+ exists ( ConditionalStmt condstmt | condstmt .getAChild ( ) = expr1 |
6568 // or the string copy function is used directly as the conditional expression
66- func = condstmt .getChild ( 0 )
67- and msg = "Return Value of " + func .getTarget ( ) .getQualifiedName ( ) + " used directly in a conditional expression."
68- ) )
69+ func = condstmt .getChild ( 0 ) and
70+ msg = "Return Value of " + func .getTarget ( ) .getQualifiedName ( ) +
71+ " used directly in a conditional expression."
72+ )
73+ )
6974}
7075
7176from FunctionCall func , Expr expr1 , string msg
72- where
73- ( isStringCopyCastedAsBoolean ( func , expr1 , msg ) and
77+ where
78+ (
79+ isStringCopyCastedAsBoolean ( func , expr1 , msg ) and
7480 not isStringCopyUsedInLogicalOperationOrCondition ( func , expr1 , _)
7581 )
76- or isStringCopyUsedInLogicalOperationOrCondition ( func , expr1 , msg )
82+ or
83+ isStringCopyUsedInLogicalOperationOrCondition ( func , expr1 , msg )
7784select expr1 , msg
0 commit comments