Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 99047e5

Browse files
zlaski-semmlezlaski-semmle
committed
[CPP-370] Exclude UserDefinedFormattingFunction nodes.
1 parent b205951 commit 99047e5

2 files changed

Lines changed: 147 additions & 63 deletions

File tree

cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -88,8 +88,7 @@ predicate isNonConst(DataFlow::Node node) {
8888
)
8989
)
9090
or
91-
// TODO: Figure out what to do with DataFlow::DefinitionByReferenceNode
92-
exists(DataFlow::DefinitionByReferenceNode dbr | dbr = node.(DataFlow::DefinitionByReferenceNode))
91+
node instanceof DataFlow::DefinitionByReferenceNode
9392
}
9493

9594
class NonConstFlow extends TaintTracking::Configuration {
@@ -98,7 +97,11 @@ class NonConstFlow extends TaintTracking::Configuration {
9897
override predicate isSource(DataFlow::Node source) { isNonConst(source) }
9998

10099
override predicate isSink(DataFlow::Node sink) {
101-
exists(FormattingFunctionCall fc | sink.asExpr() = fc.getArgument(fc.getFormatParameterIndex()))
100+
exists(FormattingFunctionCall fc |
101+
sink.asExpr() = fc.getArgument(fc.getFormatParameterIndex())
102+
|
103+
not fc.getTarget() instanceof UserDefinedFormattingFunction
104+
)
102105
}
103106
}
104107

cpp/ql/src/semmle/code/cpp/models/implementations/Printf.qll

Lines changed: 141 additions & 60 deletions
Original file line numberDiff line numberDiff line change
@@ -5,9 +5,10 @@ import semmle.code.cpp.models.interfaces.FormattingFunction
55
*/
66
class Printf extends FormattingFunction {
77
Printf() {
8-
this instanceof TopLevelFunction and
8+
this instanceof TopLevelFunction and
99
(
1010
hasGlobalName("printf") or
11+
hasGlobalName("__builtin_printf") or
1112
hasGlobalName("printf_s") or
1213
hasGlobalName("wprintf") or
1314
hasGlobalName("wprintf_s") or
@@ -16,7 +17,8 @@ class Printf extends FormattingFunction {
1617
not exists(getDefinition().getFile().getRelativePath())
1718
}
1819

19-
override int getFormatParameterIndex() { result=0 }
20+
override int getFormatParameterIndex() { result = 0 }
21+
2022
override predicate isWideCharDefault() {
2123
hasGlobalName("wprintf") or
2224
hasGlobalName("wprintf_s")
@@ -31,15 +33,18 @@ class Fprintf extends FormattingFunction {
3133
this instanceof TopLevelFunction and
3234
(
3335
hasGlobalName("fprintf") or
36+
hasGlobalName("__bultin_fprintf") or
3437
hasGlobalName("fwprintf") or
3538
hasGlobalName("g_fprintf")
3639
) and
3740
not exists(getDefinition().getFile().getRelativePath())
3841
}
3942

40-
override int getFormatParameterIndex() { result=1 }
43+
override int getFormatParameterIndex() { result = 1 }
44+
4145
override predicate isWideCharDefault() { hasGlobalName("fwprintf") }
42-
override int getOutputParameterIndex() { result=0 }
46+
47+
override int getOutputParameterIndex() { result = 0 }
4348
}
4449

4550
/**
@@ -50,6 +55,7 @@ class Sprintf extends FormattingFunction {
5055
this instanceof TopLevelFunction and
5156
(
5257
hasGlobalName("sprintf") or
58+
hasGlobalName("__builtin_sprintf") or
5359
hasGlobalName("_sprintf_l") or
5460
hasGlobalName("__swprintf_l") or
5561
hasGlobalName("wsprintf") or
@@ -61,7 +67,12 @@ class Sprintf extends FormattingFunction {
6167
}
6268

6369
override predicate isWideCharDefault() {
64-
getParameter(getFormatParameterIndex()).getType().getUnspecifiedType().(PointerType).getBaseType().getSize() > 1
70+
getParameter(getFormatParameterIndex())
71+
.getType()
72+
.getUnspecifiedType()
73+
.(PointerType)
74+
.getBaseType()
75+
.getSize() > 1
6576
}
6677

6778
override int getFormatParameterIndex() {
@@ -73,12 +84,12 @@ class Sprintf extends FormattingFunction {
7384
getName() != "__builtin___sprintf_chk" and
7485
result = 1
7586
}
76-
override int getOutputParameterIndex() {
77-
not hasGlobalName("g_strdup_printf") and result = 0
78-
}
79-
87+
88+
override int getOutputParameterIndex() { not hasGlobalName("g_strdup_printf") and result = 0 }
89+
8090
override int getFirstFormatArgumentIndex() {
81-
if hasGlobalName("__builtin___sprintf_chk") then result = 4
91+
if hasGlobalName("__builtin___sprintf_chk")
92+
then result = 4
8293
else result = getNumberOfParameters()
8394
}
8495
}
@@ -89,42 +100,50 @@ class Sprintf extends FormattingFunction {
89100
*/
90101
class Snprintf extends FormattingFunction {
91102
Snprintf() {
92-
this instanceof TopLevelFunction and (
93-
hasGlobalName("snprintf") // C99 defines snprintf
94-
or hasGlobalName("swprintf") // The s version of wide-char printf is also always the n version
103+
this instanceof TopLevelFunction and
104+
(
105+
hasGlobalName("snprintf") or // C99 defines snprintf
106+
hasGlobalName("__builtin_snprintf") or
107+
hasGlobalName("swprintf") or // The s version of wide-char printf is also always the n version
95108
// Microsoft has _snprintf as well as several other variations
96-
or hasGlobalName("sprintf_s")
97-
or hasGlobalName("snprintf_s")
98-
or hasGlobalName("swprintf_s")
99-
or hasGlobalName("_snprintf")
100-
or hasGlobalName("_snprintf_s")
101-
or hasGlobalName("_snprintf_l")
102-
or hasGlobalName("_snprintf_s_l")
103-
or hasGlobalName("_snwprintf")
104-
or hasGlobalName("_snwprintf_s")
105-
or hasGlobalName("_snwprintf_l")
106-
or hasGlobalName("_snwprintf_s_l")
107-
or hasGlobalName("_sprintf_s_l")
108-
or hasGlobalName("_swprintf_l")
109-
or hasGlobalName("_swprintf_s_l")
110-
or hasGlobalName("g_snprintf")
111-
or hasGlobalName("wnsprintf")
112-
or hasGlobalName("__builtin___snprintf_chk")
109+
hasGlobalName("sprintf_s") or
110+
hasGlobalName("snprintf_s") or
111+
hasGlobalName("swprintf_s") or
112+
hasGlobalName("_snprintf") or
113+
hasGlobalName("_snprintf_s") or
114+
hasGlobalName("_snprintf_l") or
115+
hasGlobalName("_snprintf_s_l") or
116+
hasGlobalName("_snwprintf") or
117+
hasGlobalName("_snwprintf_s") or
118+
hasGlobalName("_snwprintf_l") or
119+
hasGlobalName("_snwprintf_s_l") or
120+
hasGlobalName("_sprintf_s_l") or
121+
hasGlobalName("_swprintf_l") or
122+
hasGlobalName("_swprintf_s_l") or
123+
hasGlobalName("g_snprintf") or
124+
hasGlobalName("wnsprintf") or
125+
hasGlobalName("__builtin___snprintf_chk")
113126
) and
114127
not exists(getDefinition().getFile().getRelativePath())
115128
}
116129

117130
override int getFormatParameterIndex() {
118131
if getName().matches("%\\_l")
119-
then result = getFirstFormatArgumentIndex() - 2
120-
else result = getFirstFormatArgumentIndex() - 1
132+
then result = getFirstFormatArgumentIndex() - 2
133+
else result = getFirstFormatArgumentIndex() - 1
121134
}
122135

123136
override predicate isWideCharDefault() {
124-
getParameter(getFormatParameterIndex()).getType().getUnspecifiedType().(PointerType).getBaseType().getSize() > 1
137+
getParameter(getFormatParameterIndex())
138+
.getType()
139+
.getUnspecifiedType()
140+
.(PointerType)
141+
.getBaseType()
142+
.getSize() > 1
125143
}
126-
override int getOutputParameterIndex() { result=0 }
127-
144+
145+
override int getOutputParameterIndex() { result = 0 }
146+
128147
override int getFirstFormatArgumentIndex() {
129148
exists(string name |
130149
hasGlobalName(name)
@@ -153,58 +172,120 @@ class Snprintf extends FormattingFunction {
153172
not exists(getDefinition().getFile().getRelativePath())
154173
}
155174

156-
override int getSizeParameterIndex() {
157-
result = 1
175+
override int getSizeParameterIndex() { result = 1 }
176+
}
177+
178+
/**
179+
* The standard functions `vprintf` and `vwprintf`, and their
180+
* assorted variants.
181+
*/
182+
class Vprintf extends FormattingFunction {
183+
Vprintf() {
184+
this instanceof TopLevelFunction and
185+
(
186+
hasGlobalName("vprintf") or
187+
hasGlobalName("__builtin_vprintf") or
188+
hasGlobalName("vfprintf") or
189+
hasGlobalName("__builtin_vfprintf") or
190+
hasGlobalName("vsprintf") or
191+
hasGlobalName("__builtin_vsprintf") or
192+
hasGlobalName("vsnprintf") or
193+
hasGlobalName("__builtin_vsnprintf") or
194+
hasGlobalName("vprintf_s") or
195+
hasGlobalName("vfprintf_s") or
196+
hasGlobalName("vsprintf_s") or
197+
hasGlobalName("vsnprintf_s") or
198+
hasGlobalName("_vsnprintf_s") or
199+
hasGlobalName("_vsnprintf_s_l") or
200+
hasGlobalName("vwprintf") or
201+
hasGlobalName("vfwprintf") or
202+
hasGlobalName("vswprintf") or
203+
hasGlobalName("vwprintf_s") or
204+
hasGlobalName("vfwprintf_s") or
205+
hasGlobalName("vswprintf_s") or
206+
hasGlobalName("_vsnwprintf_s") or
207+
hasGlobalName("_vsnwprintf_s_l")
208+
) and
209+
not exists(getDefinition().getFile().getRelativePath())
210+
}
211+
212+
override int getFormatParameterIndex() {
213+
if getName().matches("%\\_l")
214+
then result = getFirstFormatArgumentIndex() - 3
215+
else result = getFirstFormatArgumentIndex() - 2
158216
}
217+
218+
override int getFirstFormatArgumentIndex() { result = getNumberOfParameters() - 1 }
219+
220+
override predicate isWideCharDefault() { getName().matches("%w%") }
221+
222+
override int getOutputParameterIndex() {
223+
not (getName().matches("%vprintf%") or getName().matches("%vwprintf%")) and
224+
result = 0
225+
}
226+
227+
/**
228+
* Holds if this function returns the length of the formatted string
229+
* that would have been output, regardless of the amount of space
230+
* in the buffer.
231+
*/
232+
predicate returnsFullFormatLength() {
233+
(
234+
hasGlobalName("vsnprintf") or
235+
hasGlobalName("__builtin_vsnprintf")
236+
) and
237+
not exists(getDefinition().getFile().getRelativePath())
238+
}
239+
240+
override int getSizeParameterIndex() { getName().matches("%sn%") and result = 1 }
159241
}
160242

161243
/**
162244
* The Microsoft `StringCchPrintf` function and variants.
163245
*/
164246
class StringCchPrintf extends FormattingFunction {
165247
StringCchPrintf() {
166-
this instanceof TopLevelFunction and (
167-
hasGlobalName("StringCchPrintf")
168-
or hasGlobalName("StringCchPrintfEx")
169-
or hasGlobalName("StringCchPrintf_l")
170-
or hasGlobalName("StringCchPrintf_lEx")
171-
or hasGlobalName("StringCbPrintf")
172-
or hasGlobalName("StringCbPrintfEx")
173-
or hasGlobalName("StringCbPrintf_l")
174-
or hasGlobalName("StringCbPrintf_lEx")
248+
this instanceof TopLevelFunction and
249+
(
250+
hasGlobalName("StringCchPrintf") or
251+
hasGlobalName("StringCchPrintfEx") or
252+
hasGlobalName("StringCchPrintf_l") or
253+
hasGlobalName("StringCchPrintf_lEx") or
254+
hasGlobalName("StringCbPrintf") or
255+
hasGlobalName("StringCbPrintfEx") or
256+
hasGlobalName("StringCbPrintf_l") or
257+
hasGlobalName("StringCbPrintf_lEx")
175258
) and
176259
not exists(getDefinition().getFile().getRelativePath())
177260
}
178261

179262
override int getFormatParameterIndex() {
180-
if getName().matches("%Ex")
181-
then result = 5
182-
else result = 2
263+
if getName().matches("%Ex") then result = 5 else result = 2
183264
}
184265

185266
override predicate isWideCharDefault() {
186-
getParameter(getFormatParameterIndex()).getType().getUnspecifiedType().(PointerType).getBaseType().getSize() > 1
267+
getParameter(getFormatParameterIndex())
268+
.getType()
269+
.getUnspecifiedType()
270+
.(PointerType)
271+
.getBaseType()
272+
.getSize() > 1
187273
}
188274

189-
override int getOutputParameterIndex() {
190-
result = 0
191-
}
275+
override int getOutputParameterIndex() { result = 0 }
192276

193-
override int getSizeParameterIndex() {
194-
result = 1
195-
}
277+
override int getSizeParameterIndex() { result = 1 }
196278
}
197279

198280
/**
199281
* The standard function `syslog`.
200282
*/
201283
class Syslog extends FormattingFunction {
202284
Syslog() {
203-
this instanceof TopLevelFunction and (
204-
hasGlobalName("syslog")
205-
) and
285+
this instanceof TopLevelFunction and
286+
hasGlobalName("syslog") and
206287
not exists(getDefinition().getFile().getRelativePath())
207288
}
208289

209-
override int getFormatParameterIndex() { result=1 }
290+
override int getFormatParameterIndex() { result = 1 }
210291
}

0 commit comments

Comments
 (0)