Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit d8b8dda

Browse files
zlaski-semmlezlaski-semmle
committed
[CPP-370] First attempt at isAdditionalFlowStep().
1 parent dbec17f commit d8b8dda

2 files changed

Lines changed: 40 additions & 3 deletions

File tree

cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,8 +42,16 @@ predicate whitelistFunction(Function f, int arg) {
4242
(arg = 1 or arg = 2)
4343
}
4444

45+
<<<<<<< HEAD
4546
predicate whitelisted(FunctionCall fc) {
4647
exists(Function f, int arg | f = fc.getTarget() | whitelistFunction(f, arg))
48+
=======
49+
predicate underscoreMacro(Expr e) {
50+
exists(MacroInvocation mi |
51+
mi.getMacroName() = "_" and
52+
mi.getExpr() = e
53+
)
54+
>>>>>>> [CPP-370] First attempt at isAdditionalFlowStep().
4755
}
4856

4957
predicate isNonConst(DataFlow::Node node) {
@@ -88,11 +96,26 @@ predicate isNonConst(DataFlow::Node node) {
8896
)
8997
)
9098
or
99+
<<<<<<< HEAD
91100
node instanceof DataFlow::DefinitionByReferenceNode
92101
}
93102

94103
class NonConstFlow extends TaintTracking::Configuration {
95104
NonConstFlow() { this = "NonConstFlow" }
105+
=======
106+
// we let the '_' macro through regardless of what it points at
107+
underscoreMacro(e)
108+
}
109+
110+
predicate isConst(Expr e) {
111+
e instanceof StringLiteral
112+
or
113+
whitelisted(e)
114+
}
115+
116+
class ConstFlow extends DataFlow::Configuration {
117+
ConstFlow() { this = "ConstFlow" }
118+
>>>>>>> [CPP-370] First attempt at isAdditionalFlowStep().
96119

97120
override predicate isSource(DataFlow::Node source) { isNonConst(source) }
98121

@@ -101,6 +124,20 @@ class NonConstFlow extends TaintTracking::Configuration {
101124
sink.asExpr() = fc.getArgument(fc.getFormatParameterIndex())
102125
)
103126
}
127+
128+
override predicate isAdditionalFlowStep(DataFlow::Node source, DataFlow::Node sink) {
129+
none()
130+
or
131+
// an element picked from an array of string literals is a string literal
132+
exists(Variable v, int a |
133+
a = sink.asExpr().(ArrayExpr).getArrayOffset().getValue().toInt() and
134+
v = sink.asExpr().(ArrayExpr).getArrayBase().(VariableAccess).getTarget()
135+
|
136+
// we disallow parameters, since they may be bound to unsafe arguments
137+
// at various call sites.
138+
not v instanceof Parameter and source.asExpr() instanceof StringLiteral
139+
)
140+
}
104141
}
105142

106143
from FormattingFunctionCall call, Expr formatString

cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/test.cpp

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -94,14 +94,14 @@ int main(int argc, char **argv) {
9494
const char *hello = "Hello, World\n";
9595
const char **p = &hello;
9696
(*p)++;
97-
printf(hello); // NOT OK
97+
printf(hello); // NOT OK [NOT DETECTED]
9898
}
9999
{
100100
// Same as above block but through a C++ reference
101101
const char *hello = "Hello, World\n";
102102
const char *&p = hello;
103103
p++;
104-
printf(hello); // NOT OK
104+
printf(hello); // NOT OK [NOT DETECTED]
105105
}
106106
if (gettext_debug) {
107107
printf(new char[100]); // NOT OK
@@ -132,4 +132,4 @@ void another_func(void) {
132132
printf(message); // OK
133133
printf("Hello, World\n"); // OK
134134
printf(gettext("Hello, World\n")); // OK
135-
}
135+
}

0 commit comments

Comments
 (0)