[CPP-370] Add nested.cpp test case, for nested calls to ...printf functions.

zlaski-semmle · zlaski-semmle · commit 6025c038576e · 2019-05-21T06:21:12.000-07:00
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected
@@ -2,6 +2,8 @@
 | NonConstantFormat.c:34:9:34:36 | call to any_random_function | The format string argument to printf should be constant to prevent security issues and other potential errors. |
 | NonConstantFormat.c:41:9:41:27 | call to any_random_function | The format string argument to printf should be constant to prevent security issues and other potential errors. |
 | NonConstantFormat.c:45:9:45:48 | call to any_random_function | The format string argument to printf should be constant to prevent security issues and other potential errors. |
+| nested.cpp:21:23:21:26 | fmt0 | The format string argument to snprintf should be constant to prevent security issues and other potential errors. |
+| nested.cpp:80:32:80:38 | call to get_fmt | The format string argument to diagnostic should be constant to prevent security issues and other potential errors. |
 | test.cpp:45:10:45:21 | call to make_message | The format string argument to printf should be constant to prevent security issues and other potential errors. |
 | test.cpp:50:12:50:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
 | test.cpp:53:12:53:21 | call to const_wash | The format string argument to printf should be constant to prevent security issues and other potential errors. |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/nested.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/nested.cpp
@@ -0,0 +1,81 @@
+typedef void *va_list;
+#define va_start(ap, parmN)
+#define va_end(ap)
+#define va_arg(ap, type) ((type)0)
+#define NULL 0
+
+extern "C" int printf(const char *fmt, ...);
+extern "C" int snprint(char *buf, int len, const char *fmt, ...);
+extern "C" int _vsnprintf_s(
+   char *buffer,
+   int sizeOfBuffer,
+   int count,
+   const char *fmt,
+   va_list argptr
+);
+extern "C" int snprintf ( char * s, int n, const char * format, ... );
+
+struct A {
+  void do_print(const char *fmt0) {
+    char buf[32];
+    snprintf(buf, 32, fmt0);
+  }
+};
+
+struct B {
+  A a;
+  void do_printing(const char *fmt) {
+    a.do_print(fmt);
+  }
+};
+
+struct C {
+  B b;
+  void do_some_printing(const char *fmt) {
+    b.do_printing(fmt);
+  }
+  const char *ext_fmt_str(void);
+};
+
+void foo(void) {
+  C c;
+  c.do_some_printing(c.ext_fmt_str());
+}
+
+struct some_class {
+    // Retrieve some target specific output strings
+    virtual const char * get_fmt() const = 0;
+};
+
+struct debug_ {
+    int
+    out_str(
+        const char *fmt,
+        va_list args)
+    {
+        char str[4096];
+        //int length = printf(fmt, args);
+        int length = _vsnprintf_s(str, sizeof(str), 0, fmt, args);
+        if (length > 0)
+        {
+            return 0;
+        }
+        return 1;
+    }
+};
+
+some_class* some_instance = NULL;
+debug_ *debug_ctrl;
+
+void diagnostic(const char *fmt, ...)
+{
+    va_list args;
+
+    va_start(args, fmt);
+    debug_ctrl->out_str(fmt, args);
+    va_end(args);
+}
+
+void bar(void) {
+    diagnostic (some_instance->get_fmt());
+}
