CPP: Add local dataflow to (one bit of) OverflowStatic.ql.

geoffw0 · geoffw0 · commit ea56a5d9cecf · 2018-11-22T15:49:13.000Z
diff --git a/cpp/ql/src/Critical/OverflowStatic.ql b/cpp/ql/src/Critical/OverflowStatic.ql
@@ -82,22 +82,31 @@ class CallWithBufferSize extends FunctionCall
   Expr buffer() {
     exists(int i |
       bufferAndSizeFunction(this.getTarget(), i, _) and
-      result = this.getArgument(i))
+      result = this.getArgument(i)
+    )
   }
-  Expr statedSize() {
+  Expr statedSizeExpr() {
     exists(int i |
       bufferAndSizeFunction(this.getTarget(), _, i) and
-      result = this.getArgument(i))
+      result = this.getArgument(i)
+    )
+  }
+  int statedSizeValue() {
+    exists(Expr statedSizeSrc |
+      DataFlow::localFlowStep*(DataFlow::exprNode(statedSizeSrc), DataFlow::exprNode(statedSizeExpr())) and
+      result = statedSizeSrc.getValue().toInt()
+    )
   }
 }
 
 predicate wrongBufferSize(Expr error, string msg) {
-  exists(CallWithBufferSize call, int bufsize, Variable buf |
+  exists(CallWithBufferSize call, int bufsize, Variable buf, int statedSize |
     staticBuffer(call.buffer(), buf, bufsize) and
-    call.statedSize().getValue().toInt() > bufsize and
-    error = call.statedSize() and
+    statedSize = call.statedSizeValue() and
+    statedSize > bufsize and
+    error = call.statedSizeExpr() and
     msg = "Potential buffer-overflow: '" + buf.getName() +
-    "' has size " + bufsize.toString() + " not " + call.statedSize().getValue() + ".")
+    "' has size " + bufsize.toString() + " not " + statedSize + ".")
 }
 
 predicate outOfBounds(BufferAccess bufaccess, string msg)
diff --git a/cpp/ql/test/query-tests/Critical/OverflowStatic/OverflowStatic.expected b/cpp/ql/test/query-tests/Critical/OverflowStatic/OverflowStatic.expected
@@ -6,3 +6,4 @@
 | test.cpp:20:3:20:12 | access to array | Potential buffer-overflow: counter 'i' <= 3 but 'buffer2' has 3 elements. |
 | test.cpp:24:27:24:27 | 4 | Potential buffer-overflow: 'buffer1' has size 3 not 4. |
 | test.cpp:26:27:26:27 | 4 | Potential buffer-overflow: 'buffer2' has size 3 not 4. |
+| test.cpp:40:22:40:27 | amount | Potential buffer-overflow: 'buffer' has size 100 not 101. |
diff --git a/cpp/ql/test/query-tests/Critical/OverflowStatic/test.cpp b/cpp/ql/test/query-tests/Critical/OverflowStatic/test.cpp
@@ -37,7 +37,7 @@ void f2(char *src)
 	amount = amount + 1;
 	memcpy(buffer, src, amount); // BAD [NOT DETECTED]
 	amount = 101;
-	memcpy(buffer, src, amount); // BAD [NOT DETECTED]
+	memcpy(buffer, src, amount); // BAD
 
 	ptr = buffer;
 	memcpy(ptr, src, 101); // BAD [NOT DETECTED]
