CPP: New mechanism for string types in printf.qll.

geoffw0 · geoffw0 · commit e2be19b55540 · 2018-10-05T16:40:54.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/commons/Printf.qll b/cpp/ql/src/semmle/code/cpp/commons/Printf.qll
@@ -239,6 +239,32 @@ class FormatLiteral extends Literal {
     getUse().getTarget().(FormattingFunction).isWideCharDefault()
   }
 
+  /**
+   * Gets the default character type expected for `%s` by this format literal.  Typically
+   * `char` or `wchar_t`.
+   */
+  Type getDefaultCharType() {
+    result = getUse().getTarget().(FormattingFunction).getDefaultCharType()
+  }
+
+  /**
+   * Gets the non-default character type expected for `%S` by this format literal.  Typically
+   * `wchar_t` or `char`.  On some snapshots there may be multiple results where we can't tell
+   * which is correct for a particular function.
+   */
+  Type getNonDefaultCharType() {
+    result = getUse().getTarget().(FormattingFunction).getNonDefaultCharType()
+  }
+
+  /**
+   * Gets the wide character type for this format literal.  This is usually `wchar_t`.  On some
+   * snapshots there may be multiple results where we can't tell which is correct for a
+   * particular function.
+   */
+  Type getWideCharType() {
+    result = getUse().getTarget().(FormattingFunction).getWideCharType()
+  }
+
   /**
    * Holds if this `FormatLiteral` is in a context that supports
    * Microsoft rules and extensions.
@@ -648,7 +674,6 @@ class FormatLiteral extends Literal {
     result = getConversionType2(n) or
     result = getConversionType3(n) or
     result = getConversionType4(n) or
-    result = getConversionType5(n) or
     result = getConversionType6(n) or
     result = getConversionType7(n) or
     result = getConversionType8(n) or
@@ -715,38 +740,34 @@ class FormatLiteral extends Literal {
   }
 
   /**
-   * Gets the 'effective' string type character, that is, 's' (meaning a char string) or
-   * 'S' (meaning a wide string).
-   *  - in the base case this is the same as the format type character.
-   *  - for a `wprintf` or similar function call, the meanings are reversed.
-   *  - the size prefixes 'l'/'w' (long) and 'h' (short) override the
-   *    type character to effectively 'S' or 's' respectively.
+   * Gets the string type required by the nth conversion specifier.
+   *  - in the base case this is the default for the formatting function
+   *    (e.g. `char` for `printf`, `wchar_t` for `wprintf`).
+   *  - the `%S` format character reverses wideness.
+   *  - the size prefixes 'l'/'w' and 'h' override the type character
+   *    to wide or single-byte characters respectively.
    */
-  private string getEffectiveStringConversionChar(int n) {
-    exists(string len, string conv | this.parseConvSpec(n, _, _, _, _, _, len, conv) and (conv = "s" or conv = "S") |
-      (len = "l" and result = "S") or
-      (len = "w" and result = "S") or
-      (len = "h" and result = "s") or
-      (len != "l" and len != "w" and len != "h" and (result = "s" or result = "S") and (if isWideCharDefault() then result != conv else result = conv))
-    )
-  }
-
   private Type getConversionType4(int n) {
-    exists(string cnv, CharType t | cnv = this.getEffectiveStringConversionChar(n) |
-      cnv="s" and t = result.(PointerType).getBaseType()
-      and not t.isExplicitlySigned()
-      and not t.isExplicitlyUnsigned()
-    )
-  }
-
-  private Type getConversionType5(int n) {
-    exists(string cnv | cnv = this.getEffectiveStringConversionChar(n) |
-      cnv="S" and
+    exists(string len, string conv |
+      this.parseConvSpec(n, _, _, _, _, _, len, conv) and
       (
-        result = getAFormatterWideType()
-        or
-        not exists(getAFormatterWideType()) and
-        result.(PointerType).getBaseType().hasName("wchar_t")
+        (
+          (conv = "s" or conv = "S") and
+          len = "h" and
+          result.(PointerType).getBaseType() instanceof PlainCharType
+        ) or (
+          (conv = "s" or conv = "S") and
+          (len = "l" or len = "w") and
+          result.(PointerType).getBaseType() = getWideCharType()
+        ) or (
+          conv = "s" and
+          (len != "l" and len != "w" and len != "h") and
+          result.(PointerType).getBaseType() = getDefaultCharType()
+        ) or (
+          conv = "S" and
+          (len != "l" and len != "w" and len != "h") and
+          result.(PointerType).getBaseType() = getNonDefaultCharType()
+        )
       )
     )
   }
diff --git a/cpp/ql/src/semmle/code/cpp/models/interfaces/FormattingFunction.qll b/cpp/ql/src/semmle/code/cpp/models/interfaces/FormattingFunction.qll
@@ -7,6 +7,18 @@
  */
 
 import semmle.code.cpp.Function
+/**
+ * A type that is used as a format string by any formatting function, or `wchar_t` if
+ * there is none.
+ */
+private Type getAFormatterWideTypeOrDefault() {
+  result = getAFormatterWideType().(PointerType).getBaseType() or
+  (
+    not exists(getAFormatterWideType().(PointerType).getBaseType()) and
+    result instanceof Wchar_t
+  )
+}
+
 /**
  * A standard library function that uses a `printf`-like formatting string.
  */
@@ -20,6 +32,43 @@ abstract class FormattingFunction extends Function {
    */
   predicate isWideCharDefault() { none() }
 
+  /**
+   * Gets the default character type expected for `%s` by this function.  Typically
+   * `char` or `wchar_t`.
+   */
+  Type getDefaultCharType() {
+    result = getParameter(getFormatParameterIndex()).getType().
+      getUnderlyingType().(PointerType).getBaseType().stripTopLevelSpecifiers()
+  }
+
+  /**
+   * Gets the non-default character type expected for `%S` by this function.  Typically
+   * `wchar_t` or `char`.  On some snapshots there may be multiple results where we can't tell
+   * which is correct for a particular function.
+   */
+  Type getNonDefaultCharType() {
+  	(
+  	  getDefaultCharType().getSize() = 1 and
+  	  result = getAFormatterWideTypeOrDefault()
+  	) or (
+  	  getDefaultCharType().getSize() > 1 and
+  	  result instanceof PlainCharType
+  	)
+  }
+
+  /**
+   * Gets the wide character type for this function.  This is usually `wchar_t`.  On some
+   * snapshots there may be multiple results where we can't tell which is correct for a
+   * particular function.
+   */
+  Type getWideCharType() {
+    (
+      result = getDefaultCharType() or
+      result = getNonDefaultCharType()
+    ) and
+    result.getSize() > 1
+  }
+
   /**
    * Gets the position at which the output parameter, if any, occurs.
    */
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/WrongTypeFormatArguments.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/WrongTypeFormatArguments.expected
@@ -6,7 +6,7 @@
 | tests.cpp:26:17:26:24 | Hello | This argument should be of type 'wchar_t *' but is of type 'char16_t *' |
 | tests.cpp:30:17:30:24 | Hello | This argument should be of type 'char *' but is of type 'char16_t *' |
 | tests.cpp:31:17:31:24 | Hello | This argument should be of type 'char *' but is of type 'wchar_t *' |
-| tests.cpp:33:36:33:42 | Hello | This argument should be of type 'wchar_t *' but is of type 'char *' |
-| tests.cpp:34:36:34:43 | Hello | This argument should be of type 'wchar_t *' but is of type 'char16_t *' |
+| tests.cpp:33:36:33:42 | Hello | This argument should be of type 'char16_t *' but is of type 'char *' |
+| tests.cpp:35:36:35:43 | Hello | This argument should be of type 'char16_t *' but is of type 'wchar_t *' |
 | tests.cpp:38:36:38:43 | Hello | This argument should be of type 'char *' but is of type 'char16_t *' |
 | tests.cpp:39:36:39:43 | Hello | This argument should be of type 'char *' but is of type 'wchar_t *' |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/tests.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/tests.cpp
@@ -31,8 +31,8 @@ void tests() {
 	wprintf(L"%S", L"Hello"); // BAD: expecting char
 
 	swprintf(buffer, BUF_SIZE, u"%s", "Hello"); // BAD: expecting char16_t
-	swprintf(buffer, BUF_SIZE, u"%s", u"Hello"); // GOOD [FALSE POSITIVE]
-	swprintf(buffer, BUF_SIZE, u"%s", L"Hello"); // BAD: expecting char16_t [NOT DETECTED]
+	swprintf(buffer, BUF_SIZE, u"%s", u"Hello"); // GOOD
+	swprintf(buffer, BUF_SIZE, u"%s", L"Hello"); // BAD: expecting char16_t
 
 	swprintf(buffer, BUF_SIZE, u"%S", "Hello"); // GOOD
 	swprintf(buffer, BUF_SIZE, u"%S", u"Hello"); // BAD: expecting char
