Skip to content

Commit e03b4f0

Browse files
authored
Merge pull request #293 from geoffw0/zerosizebuffer
CPP: Better handling of zero-sized buffers
2 parents 33c02fe + 698f895 commit e03b4f0

File tree

3 files changed

+10
-3
lines changed

3 files changed

+10
-3
lines changed

change-notes/1.19/analysis-cpp.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,3 +28,4 @@
2828

2929
* Added a hash consing library for structural comparison of expressions.
3030
* `getBufferSize` now detects variable size structs more reliably.
31+
* Buffer.qll now treats arrays of zero size as a special case.

cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -104,9 +104,13 @@ where
104104
// Some of the functions operate on a larger char type, like `wchar_t`, so we
105105
// need to take this into account in the fixed size case.
106106
charSize = f.getParameter(argDest).getType().getUnspecifiedType().(PointerType).getBaseType().getSize() and
107-
if exists (fc.getArgument(argLimit).getValue().toInt()) then (
107+
if exists(fc.getArgument(argLimit).getValue().toInt()) then (
108108
// Fixed sized case
109-
arrayExprFixedSize(copyDest) < charSize * fc.getArgument(argLimit).getValue().toInt()
109+
exists(int size |
110+
size = arrayExprFixedSize(copyDest) and
111+
size < charSize * fc.getArgument(argLimit).getValue().toInt() and
112+
size != 0 // if the array has zero size, something special is going on
113+
)
110114
) else exists (Access takenSizeOf, BufferSizeExpr sizeExpr, int plus |
111115
// Variable sized case
112116
sizeExpr = fc.getArgument(argLimit).getAChild*() and

cpp/ql/src/semmle/code/cpp/commons/Buffer.qll

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -57,7 +57,9 @@ int getBufferSize(Expr bufferExpr, Element why) {
5757
// buffer is a fixed size array
5858
result = bufferVar.getType().getUnspecifiedType().(ArrayType).getSize() and
5959
why = bufferVar and
60-
not memberMayBeVarSize(_, bufferVar)
60+
not memberMayBeVarSize(_, bufferVar) and
61+
not result = 0 // zero sized arrays are likely to have special usage, for example
62+
// behaving a bit like a 'union' overlapping other fields.
6163
) or (
6264
// buffer is an initialized array
6365
// e.g. int buffer[] = {1, 2, 3};

0 commit comments

Comments
 (0)