Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit e0798b2

Browse files
committed
stash: change sinks to zip handles and sources to the zip handle initializers
1 parent 065c527 commit e0798b2

1 file changed

Lines changed: 16 additions & 0 deletions

File tree

cpp/ql/src/experimental/Security/CWE/CWE-409-DecompressionBomb/DecompressionBombsLibMiniz.ql

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ import semmle.code.cpp.security.FlowSources
2121
private class PointerVar extends VariableAccess {
2222
PointerVar() { this.getType() instanceof PointerType }
2323
}
24+
2425
/**
2526
* A unsigned char Variable is used in Flow source
2627
*/
@@ -56,6 +57,18 @@ private class MzUncompress extends Function {
5657
MzUncompress() { this.hasGlobalName(["uncompress", "mz_uncompress", "mz_uncompress2"]) }
5758
}
5859

60+
/**
61+
* A `zip handle` is used in Flow source
62+
*/
63+
private class MzZip extends Function {
64+
MzZip() {
65+
this.hasGlobalName([
66+
"mz_zip_reader_open", "mz_zip_reader_open_file", "mz_zip_reader_open_file_in_memory",
67+
"mz_zip_reader_open_buffer", "mz_zip_reader_entry_open"
68+
])
69+
}
70+
}
71+
5972
/**
6073
* The `mz_inflate` functions are used in Flow Sink
6174
*/
@@ -138,6 +151,9 @@ module MinizTaintConfig implements DataFlow::StateConfigSig {
138151
source.asDefiningArgument() =
139152
any(Call call | call.getTarget() instanceof MzInflateInit).getArgument(0) and
140153
state = "inflate"
154+
or
155+
source.asDefiningArgument() = any(Call call | call.getTarget() instanceof MzZip).getArgument(0) and
156+
state = ""
141157
}
142158

143159
predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {

0 commit comments

Comments
 (0)