From b293dfe3a6560deee687292e9eeee607412bcbc3 Mon Sep 17 00:00:00 2001 From: Mingjie Shen Date: Wed, 19 Nov 2025 22:06:06 +0000 Subject: [PATCH 1/2] C++: Fix CWE-119 memcpy tests sizeof(pointer) only gives the pointer size, not the buffer size, so use explicit 10/20 lengths in tests.cpp and update OverflowBuffer.expected to accept the resulting memcpy diagnostics. Signed-off-by: Mingjie Shen --- .../CWE-119/semmle/tests/OverflowBuffer.expected | 4 ++++ .../Security/CWE/CWE-119/semmle/tests/tests.cpp | 16 ++++++++-------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected index ac0e8d3a25a8..f9f887b64091 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected @@ -1,6 +1,10 @@ | overflowdestination.cpp:46:2:46:7 | call to memcpy | This 'memcpy' operation accesses 128 bytes but the $@ is only 64 bytes. | overflowdestination.cpp:40:7:40:10 | dest | destination buffer | | tests.cpp:23:2:23:7 | call to memcpy | This 'memcpy' operation accesses 20 bytes but the $@ is only 10 bytes. | tests.cpp:19:7:19:17 | smallbuffer | source buffer | | tests.cpp:25:2:25:7 | call to memcpy | This 'memcpy' operation accesses 20 bytes but the $@ is only 10 bytes. | tests.cpp:19:7:19:17 | smallbuffer | destination buffer | +| tests.cpp:34:2:34:7 | call to memcpy | This 'memcpy' operation accesses 20 bytes but the $@ is only 10 bytes. | tests.cpp:30:30:30:35 | call to malloc | source buffer | +| tests.cpp:36:2:36:7 | call to memcpy | This 'memcpy' operation accesses 20 bytes but the $@ is only 10 bytes. | tests.cpp:30:30:30:35 | call to malloc | destination buffer | +| tests.cpp:50:2:50:7 | call to memcpy | This 'memcpy' operation accesses 20 bytes but the $@ is only 10 bytes. | tests.cpp:46:16:46:27 | new[] | source buffer | +| tests.cpp:52:2:52:7 | call to memcpy | This 'memcpy' operation accesses 20 bytes but the $@ is only 10 bytes. | tests.cpp:46:16:46:27 | new[] | destination buffer | | tests.cpp:172:23:172:31 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:170:17:170:41 | {...} | array | | tests.cpp:176:23:176:30 | access to array | This array indexing operation accesses byte offset 31 but the $@ is only 24 bytes. | tests.cpp:170:17:170:41 | {...} | array | | tests.cpp:222:3:222:8 | call to memset | This 'memset' operation accesses 33 bytes but the $@ is only 32 bytes. | tests.cpp:214:8:214:14 | buffer1 | destination buffer | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp index 555c8e25fb50..bcf10eb436a2 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp @@ -30,10 +30,10 @@ void test2() char *smallbuffer = (char *)malloc(sizeof(char) * 10); char *bigbuffer = (char *)malloc(sizeof(char) * 20); - memcpy(bigbuffer, smallbuffer, sizeof(smallbuffer)); // GOOD - memcpy(bigbuffer, smallbuffer, sizeof(bigbuffer)); // BAD: over-read [NOT DETECTED] - memcpy(smallbuffer, bigbuffer, sizeof(smallbuffer)); // GOOD - memcpy(smallbuffer, bigbuffer, sizeof(bigbuffer)); // BAD: over-write [NOT DETECTED] + memcpy(bigbuffer, smallbuffer, 10); // GOOD + memcpy(bigbuffer, smallbuffer, 20); // BAD: over-read + memcpy(smallbuffer, bigbuffer, 10); // GOOD + memcpy(smallbuffer, bigbuffer, 20); // BAD: over-write free(bigbuffer); free(smallbuffer); @@ -46,10 +46,10 @@ void test3() smallbuffer = new char[10]; bigbuffer = new char[20]; - memcpy(bigbuffer, smallbuffer, sizeof(smallbuffer)); // GOOD - memcpy(bigbuffer, smallbuffer, sizeof(bigbuffer)); // BAD: over-read [NOT DETECTED] - memcpy(smallbuffer, bigbuffer, sizeof(smallbuffer)); // GOOD - memcpy(smallbuffer, bigbuffer, sizeof(bigbuffer)); // BAD: over-write [NOT DETECTED] + memcpy(bigbuffer, smallbuffer, 10); // GOOD + memcpy(bigbuffer, smallbuffer, 20); // BAD: over-read + memcpy(smallbuffer, bigbuffer, 10); // GOOD + memcpy(smallbuffer, bigbuffer, 20); // BAD: over-write delete [] bigbuffer; delete [] smallbuffer; From 25a46a82ba04025e6aab93874b4291edf295802b Mon Sep 17 00:00:00 2001 From: Mingjie Shen Date: Thu, 27 Nov 2025 05:10:58 +0000 Subject: [PATCH 2/2] C++: Use appropriate sizeof in CWE-119 memcpy tests Signed-off-by: Mingjie Shen --- .../Security/CWE/CWE-119/semmle/tests/tests.cpp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp index bcf10eb436a2..603d868258a9 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp @@ -30,10 +30,10 @@ void test2() char *smallbuffer = (char *)malloc(sizeof(char) * 10); char *bigbuffer = (char *)malloc(sizeof(char) * 20); - memcpy(bigbuffer, smallbuffer, 10); // GOOD - memcpy(bigbuffer, smallbuffer, 20); // BAD: over-read - memcpy(smallbuffer, bigbuffer, 10); // GOOD - memcpy(smallbuffer, bigbuffer, 20); // BAD: over-write + memcpy(bigbuffer, smallbuffer, sizeof(char) * 10); // GOOD + memcpy(bigbuffer, smallbuffer, sizeof(char) * 20); // BAD: over-read + memcpy(smallbuffer, bigbuffer, sizeof(char) * 10); // GOOD + memcpy(smallbuffer, bigbuffer, sizeof(char) * 20); // BAD: over-write free(bigbuffer); free(smallbuffer); @@ -46,10 +46,10 @@ void test3() smallbuffer = new char[10]; bigbuffer = new char[20]; - memcpy(bigbuffer, smallbuffer, 10); // GOOD - memcpy(bigbuffer, smallbuffer, 20); // BAD: over-read - memcpy(smallbuffer, bigbuffer, 10); // GOOD - memcpy(smallbuffer, bigbuffer, 20); // BAD: over-write + memcpy(bigbuffer, smallbuffer, sizeof(char[10])); // GOOD + memcpy(bigbuffer, smallbuffer, sizeof(char[20])); // BAD: over-read + memcpy(smallbuffer, bigbuffer, sizeof(char[10])); // GOOD + memcpy(smallbuffer, bigbuffer, sizeof(char[20])); // BAD: over-write delete [] bigbuffer; delete [] smallbuffer;