Merge pull request #492 from geoffw0/offsetuse

Approved by dave-bartolomeo

Author: semmle-qlci

change-notes/1.19/analysis-cpp.md

@@ -15,6 +15,7 @@
 
 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
+| Array offset used before range check | More results and fewer false positive results | The query now recognizes array accesses in different positions within the expression.  False positives where the range is checked before and after the array access have been fixed. |
 | Empty branch of conditional | Fewer false positive results | The query now recognizes commented blocks more reliably. |
 | Expression has no effect | Fewer false positive results | Expressions in template instantiations are now excluded from this query. |
 | Global could be static | Fewer false positive results | Variables with declarations in header files are now excluded from this query. |

cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql

@@ -5,6 +5,7 @@
  * @kind problem
  * @id cpp/offset-use-before-range-check
  * @problem.severity warning
+ * @precision medium
  * @tags reliability
  *       security
  *       external/cwe/cwe-120
@@ -13,10 +14,29 @@
 
 import cpp
 
-from Variable v, LogicalAndExpr andexpr, ArrayExpr access, LTExpr rangecheck
-where access.getArrayOffset() = v.getAnAccess()
-  and andexpr.getLeftOperand().getAChild() = access
-  and andexpr.getRightOperand() = rangecheck
-  and rangecheck.getLeftOperand() = v.getAnAccess()
-  and not access.isInMacroExpansion()
+predicate beforeArrayAccess(Variable v, ArrayExpr access, Expr before) {
+  exists(LogicalAndExpr andexpr |
+    access.getArrayOffset() = v.getAnAccess() and
+    andexpr.getRightOperand().getAChild*() = access and
+    andexpr.getLeftOperand() = before
+  )
+}
+
+predicate afterArrayAccess(Variable v, ArrayExpr access, Expr after) {
+  exists(LogicalAndExpr andexpr |
+    access.getArrayOffset() = v.getAnAccess() and
+    andexpr.getLeftOperand().getAChild*() = access and
+    andexpr.getRightOperand() = after
+  )
+}
+
+from Variable v, ArrayExpr access, LTExpr rangecheck
+where
+  afterArrayAccess(v, access, rangecheck) and
+  rangecheck.getLeftOperand() = v.getAnAccess() and
+  not access.isInMacroExpansion() and
+  not exists(LTExpr altcheck |
+    beforeArrayAccess(v, access, altcheck) and
+    altcheck.getLeftOperand() = v.getAnAccess()
+  )
 select access, "This use of offset '" + v.getName() + "' should follow the $@.", rangecheck, "range check"

cpp/ql/test/query-tests/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck/OffsetUseBeforeRangeCheck.expected

@@ -0,0 +1,6 @@
+| test.cpp:11:10:11:18 | access to array | This use of offset 'i' should follow the $@. | test.cpp:11:32:11:45 | ... < ... | range check |
+| test.cpp:15:7:15:15 | access to array | This use of offset 'i' should follow the $@. | test.cpp:15:29:15:42 | ... < ... | range check |
+| test.cpp:27:7:27:15 | access to array | This use of offset 'i' should follow the $@. | test.cpp:27:39:27:52 | ... < ... | range check |
+| test.cpp:39:8:39:16 | access to array | This use of offset 'i' should follow the $@. | test.cpp:39:30:39:47 | ... < ... | range check |
+| test.cpp:44:7:44:15 | access to array | This use of offset 'i' should follow the $@. | test.cpp:44:22:44:35 | ... < ... | range check |
+| test.cpp:47:7:47:15 | access to array | This use of offset 'i' should follow the $@. | test.cpp:47:33:47:46 | ... < ... | range check |

cpp/ql/test/query-tests/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck/OffsetUseBeforeRangeCheck.qlref

@@ -0,0 +1 @@
+Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql

cpp/ql/test/query-tests/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck/test.cpp

@@ -0,0 +1,50 @@
+
+void test(char *buffer, int bufferSize)
+{
+	int i;
+
+	// skip whitespace
+	i = 0;
+	while ((i < bufferSize) && (buffer[i] == ' ')) { i++; } // GOOD
+
+	i = 0;
+	while ((buffer[i] == ' ') && (i < bufferSize)) { i++; } // BAD
+
+	// check for 'x'
+	if ((i < bufferSize) && (buffer[i] == 'x')) {} // GOOD
+	if ((buffer[i] == 'x') && (i < bufferSize)) {} // BAD
+
+	if ((bufferSize > i) && (buffer[i] == 'x')) {} // GOOD
+	if ((buffer[i] == 'x') && (bufferSize > i)) {} // BAD [NOT DETECTED]
+
+	if ((i <= bufferSize - 1) && (buffer[i] == 'x')) {} // GOOD
+	if ((buffer[i] == 'x') && (i <= bufferSize - 1)) {} // BAD [NOT DETECTED]
+
+	if ((bufferSize >= i + 1) && (buffer[i] == 'x')) {} // GOOD
+	if ((buffer[i] == 'x') && (bufferSize >= i + 1)) {} // BAD [NOT DETECTED]
+
+	if ((i < bufferSize) && (true) && (buffer[i] == 'x')) {} // GOOD
+	if ((buffer[i] == 'x') && (true) && (i < bufferSize)) {} // BAD
+
+	if ((i < bufferSize - 1) && (buffer[i + 1] == 'x')) {} // GOOD
+	if ((buffer[i + 1] == 'x') && (i < bufferSize - 1)) {} // BAD [NOT DETECTED]
+
+	if ((i < bufferSize) && (buffer[i] == 'x') && (i < bufferSize - 1)) {} // GOOD
+	if ((i < bufferSize) && ((buffer[i] == 'x') && (i < bufferSize - 1))) {} // GOOD
+	if ((i < bufferSize + 1) && (buffer[i] == 'x') && (i < bufferSize)) {} // BAD [NOT DETECTED]
+	if ((i < bufferSize + 1) && ((buffer[i] == 'x') && (i < bufferSize))) {} // BAD [NOT DETECTED]
+
+	// look for 'ab'
+	for (i = 0; i < bufferSize; i++) {
+		if ((buffer[i] == 'a') && (i < bufferSize - 1) && (buffer[i + 1] == 'b')) // GOOD [FALSE POSITIVE]
+			break;
+	}
+
+	if ((i < bufferSize) && (buffer[i])) {} // GOOD
+	if ((buffer[i]) && (i < bufferSize)) {} // BAD
+
+	if ((i < bufferSize) && (buffer[i] + 1 == 'x')) {} // GOOD
+	if ((buffer[i] + 1 == 'x') && (i < bufferSize)) {} // BAD
+
+	if ((buffer != 0) && (i < bufferSize)) {} // GOOD
+}