Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit a2c0532

Browse files
geoffw0geoffw0
committed
CPP: Tests: CWE-120 test cases for calloc, realloc and new.
1 parent d67ea4d commit a2c0532

2 files changed

Lines changed: 55 additions & 0 deletions

File tree

cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/OverrunWrite.expected

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,10 @@
1+
| tests2.cpp:17:3:17:8 | call to wcscpy | This 'call to wcscpy' operation requires 12 bytes but the destination is only 8 bytes. |
2+
| tests2.cpp:22:3:22:8 | call to wcscpy | This 'call to wcscpy' operation requires 16 bytes but the destination is only 12 bytes. |
3+
| tests2.cpp:27:3:27:8 | call to wcscpy | This 'call to wcscpy' operation requires 20 bytes but the destination is only 16 bytes. |
4+
| tests2.cpp:31:3:31:8 | call to wcscpy | This 'call to wcscpy' operation requires 24 bytes but the destination is only 20 bytes. |
5+
| tests2.cpp:36:3:36:8 | call to wcscpy | This 'call to wcscpy' operation requires 28 bytes but the destination is only 24 bytes. |
6+
| tests2.cpp:41:3:41:8 | call to wcscpy | This 'call to wcscpy' operation requires 32 bytes but the destination is only 28 bytes. |
7+
| tests2.cpp:46:3:46:8 | call to wcscpy | This 'call to wcscpy' operation requires 36 bytes but the destination is only 32 bytes. |
18
| tests.c:54:3:54:9 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 10 bytes. |
29
| tests.c:58:3:58:9 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 10 bytes. |
310
| tests.c:62:17:62:24 | buffer10 | This 'scanf string argument' operation requires 11 bytes but the destination is only 10 bytes. |

cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests2.cpp

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
2+
// library types, functions etc
3+
typedef unsigned long size_t;
4+
void *malloc(size_t size);
5+
void *realloc(void *ptr, size_t size);
6+
void *calloc(size_t nmemb, size_t size);
7+
void free(void *ptr);
8+
wchar_t *wcscpy(wchar_t *s1, const wchar_t *s2);
9+
10+
// --- Semmle tests ---
11+
12+
void tests2() {
13+
wchar_t *buffer;
14+
15+
buffer = (wchar_t *)malloc(2 * sizeof(wchar_t));
16+
wcscpy(buffer, L"1"); // GOOD
17+
wcscpy(buffer, L"12"); // BAD: buffer overflow
18+
free(buffer);
19+
20+
buffer = (wchar_t *)malloc(3 * sizeof(wchar_t));
21+
wcscpy(buffer, L"12"); // GOOD
22+
wcscpy(buffer, L"123"); // BAD: buffer overflow
23+
free(buffer);
24+
25+
buffer = (wchar_t *)realloc(0, 4 * sizeof(wchar_t));
26+
wcscpy(buffer, L"123"); // GOOD
27+
wcscpy(buffer, L"1234"); // BAD: buffer overflow
28+
29+
buffer = (wchar_t *)realloc(buffer, 5 * sizeof(wchar_t));
30+
wcscpy(buffer, L"1234"); // GOOD
31+
wcscpy(buffer, L"12345"); // BAD: buffer overflow
32+
free(buffer);
33+
34+
buffer = (wchar_t *)calloc(6, sizeof(wchar_t));
35+
wcscpy(buffer, L"12345"); // GOOD
36+
wcscpy(buffer, L"123456"); // BAD: buffer overflow
37+
free(buffer);
38+
39+
buffer = (wchar_t *)calloc(sizeof(wchar_t), 7);
40+
wcscpy(buffer, L"123456"); // GOOD
41+
wcscpy(buffer, L"1234567"); // BAD: buffer overflow
42+
free(buffer);
43+
44+
buffer = new wchar_t[8];
45+
wcscpy(buffer, L"1234567"); // GOOD
46+
wcscpy(buffer, L"12345678"); // BAD: buffer overflow
47+
delete [] buffer;
48+
}

0 commit comments

Comments
 (0)