Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 6255662

Browse files
MathiasVPMathiasVP
committed
C++: Add two new model implementation classes.
1 parent 69ce24d commit 6255662

3 files changed

Lines changed: 103 additions & 0 deletions

File tree

cpp/ql/src/semmle/code/cpp/models/Models.qll

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,8 @@ private import implementations.Strcat
1515
private import implementations.Strcpy
1616
private import implementations.Strdup
1717
private import implementations.Strftime
18+
private import implementations.Strtok
19+
private import implementations.Strset
1820
private import implementations.StdContainer
1921
private import implementations.StdPair
2022
private import implementations.StdMap

cpp/ql/src/semmle/code/cpp/models/implementations/Strset.qll

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
/**
2+
* Provides implementation classes modeling `strset` and various similar
3+
* functions. See `semmle.code.cpp.models.Models` for usage information.
4+
*/
5+
6+
import semmle.code.cpp.Function
7+
import semmle.code.cpp.models.interfaces.ArrayFunction
8+
import semmle.code.cpp.models.interfaces.DataFlow
9+
import semmle.code.cpp.models.interfaces.Alias
10+
import semmle.code.cpp.models.interfaces.SideEffect
11+
12+
/**
13+
* The standard function `strset` and its assorted variants
14+
*/
15+
private class StrsetFunction extends ArrayFunction, DataFlowFunction, AliasFunction,
16+
SideEffectFunction {
17+
StrsetFunction() {
18+
hasGlobalName([
19+
"strset", "_strset", "_strset_l", "_wcsset", "_wcsset_l", "_mbsset", "_mbsset_l",
20+
"_mbsnbset", "_mbsnbset_l", "_strnset", "_strnset_l", "_wcsnset", "_wcsnset_l", "_mbsnset",
21+
"_mbsnset_l"
22+
])
23+
}
24+
25+
override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
26+
// flow from the character that overrides the string
27+
input.isParameter(1) and
28+
(
29+
output.isReturnValueDeref()
30+
or
31+
output.isParameterDeref(1)
32+
)
33+
or
34+
// flow from the input string to the output string
35+
input.isParameter(0) and
36+
output.isReturnValue()
37+
}
38+
39+
override predicate parameterNeverEscapes(int index) { none() }
40+
41+
override predicate parameterEscapesOnlyViaReturn(int index) { index = 0 }
42+
43+
override predicate parameterIsAlwaysReturned(int index) { index = 0 }
44+
45+
override predicate hasOnlySpecificReadSideEffects() { any() }
46+
47+
override predicate hasOnlySpecificWriteSideEffects() { any() }
48+
49+
override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
50+
i = 0 and buffer = true and mustWrite = true
51+
}
52+
}

cpp/ql/src/semmle/code/cpp/models/implementations/Strtok.qll

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
/**
2+
* Provides implementation classes modeling `strtok` and various similar
3+
* functions. See `semmle.code.cpp.models.Models` for usage information.
4+
*/
5+
6+
import semmle.code.cpp.Function
7+
import semmle.code.cpp.models.interfaces.ArrayFunction
8+
import semmle.code.cpp.models.interfaces.ArrayFunction
9+
import semmle.code.cpp.models.interfaces.Alias
10+
import semmle.code.cpp.models.interfaces.SideEffect
11+
import semmle.code.cpp.models.interfaces.Taint
12+
13+
/**
14+
* The standard function `strtok` and its assorted variants
15+
*/
16+
private class Strtok extends ArrayFunction, AliasFunction, TaintFunction, SideEffectFunction {
17+
Strtok() {
18+
this.hasGlobalOrStdName("strtok") or
19+
this.hasGlobalName(["strtok_r", "_strtok_l", "wcstok", "_wcstok_l", "_mbstok", "_mbstok_l"])
20+
}
21+
22+
override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = [0, 1] }
23+
24+
override predicate hasArrayInput(int bufParam) { bufParam = [0, 1] }
25+
26+
override predicate hasArrayOutput(int bufParam) { bufParam = 0 }
27+
28+
override predicate parameterNeverEscapes(int index) { index = 1 }
29+
30+
override predicate parameterEscapesOnlyViaReturn(int index) { index = 0 }
31+
32+
override predicate parameterIsAlwaysReturned(int index) { none() }
33+
34+
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
35+
input.isParameter(0) and output.isReturnValue()
36+
}
37+
38+
override predicate hasOnlySpecificReadSideEffects() { any() }
39+
40+
override predicate hasOnlySpecificWriteSideEffects() { any() }
41+
42+
override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
43+
i = 0 and buffer = true and mustWrite = false
44+
}
45+
46+
override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
47+
i = [0, 1] and buffer = true
48+
}
49+
}

0 commit comments

Comments
 (0)