CPP: Include offsetof type calculations in memberMayBeVarSize.

geoffw0 · geoffw0 · commit 69785fcae6f7 · 2018-10-25T09:09:29.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/commons/Buffer.qll b/cpp/ql/src/semmle/code/cpp/commons/Buffer.qll
@@ -1,30 +1,6 @@
 import cpp
 import semmle.code.cpp.dataflow.DataFlow
 
-/**
- * Holds if `sizeof(s)` occurs as part of the parameter of a dynamic
- * memory allocation (`malloc`, `realloc`, etc.), except if `sizeof(s)`
- * only ever occurs as the immediate parameter to allocations.
- *
- * For example, holds for `s` if it occurs as
- * ```
- * malloc(sizeof(s) + 100 * sizeof(char))
- * ```
- * but not if it only ever occurs as
- * ```
- * malloc(sizeof(s))
- * ```
-*/
-private predicate isDynamicallyAllocatedWithDifferentSize(Class s) {
-  exists(SizeofOperator so |
-    so.(SizeofTypeOperator).getTypeOperand().getUnspecifiedType() = s or
-    so.(SizeofExprOperator).getExprOperand().getType().getUnspecifiedType() = s |
-    // Check all ancestor nodes except the immediate parent for
-    // allocations.
-    isStdLibAllocationExpr(so.getParent().(Expr).getParent+())
-  )
-}
-
 /**
  * Holds if `v` is a member variable of `c` that looks like it might be variable sized in practice.  For
  * example:
@@ -35,15 +11,38 @@ private predicate isDynamicallyAllocatedWithDifferentSize(Class s) {
  * };
  * ```
  * This requires that `v` is an array of size 0 or 1, and `v` is the last member of `c`.  In addition,
- * there must be at least one instance where a `c` pointer is allocated with additional space. 
+ * there must be at least one instance where a `c` pointer is allocated with additional space.  For
+ * example, holds for `c` if it occurs as
+ * ```
+ * malloc(sizeof(c) + 100 * sizeof(char))
+ * ```
+ * but not if it only ever occurs as
+ * ```
+ * malloc(sizeof(c))
+ * ``` 
  */
 predicate memberMayBeVarSize(Class c, MemberVariable v) {
   exists(int i |
+    // `v` is the last field in `c`
     i = max(int j | c.getCanonicalMember(j) instanceof Field | j) and
     v = c.getCanonicalMember(i) and
+
+    // v is an array of size at most 1
     v.getType().getUnspecifiedType().(ArrayType).getSize() <= 1
-  ) and
-  isDynamicallyAllocatedWithDifferentSize(c)
+  ) and (
+    exists(SizeofOperator so |
+      // `sizeof(c)` is taken
+      so.(SizeofTypeOperator).getTypeOperand().getUnspecifiedType() = c or
+      so.(SizeofExprOperator).getExprOperand().getType().getUnspecifiedType() = c |
+      // Check all ancestor nodes except the immediate parent for
+      // allocations.
+      isStdLibAllocationExpr(so.getParent().(Expr).getParent+())
+    ) or exists(AddressOfExpr aoe |
+      // `&(c.v)` is taken
+      aoe.getAddressable() = v and
+      isStdLibAllocationExpr(aoe.getParent().(Expr).getParent+())
+    )
+  )
 }
 
 /**
