C++: restrict to end-of-allocation pointers

Author: rdmarsh2

cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql

@@ -27,10 +27,15 @@ class ArraySizeConfiguration extends ProductFlow::Configuration {
       pai.getRight() = index and
       pai.getLeft() = sink1.asInstruction() and
       bounded(index, b, delta, true) and
-      sink2.asInstruction() = b.getInstruction())
+      sink2.asInstruction() = b.getInstruction() and
+      delta >= 0
+    )
   }
 }
 
-from ArraySizeConfiguration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2, DataFlow::PathNode sink1, DataFlow2::PathNode sink2
+from
+  ArraySizeConfiguration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2,
+  DataFlow::PathNode sink1, DataFlow2::PathNode sink2
 where conf.hasFlowPath(source1, source2, sink1, sink2)
-select source1, source2, sink1, sink2
+// TODO: pull delta out and display it
+select source1, source2, sink1, sink2

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected

@@ -1,46 +1,23 @@
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:6:9:6:11 | arr | test.cpp:4:24:4:27 | size |
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:6:9:6:11 | arr | test.cpp:4:24:4:27 | size |
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:6:9:6:11 | arr | test.cpp:5:25:5:28 | size |
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:6:9:6:11 | arr | test.cpp:5:25:5:28 | size |
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:6:9:6:11 | arr | test.cpp:9:26:9:29 | size |
 | test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | arr | test.cpp:4:24:4:27 | size |
 | test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | arr | test.cpp:4:24:4:27 | size |
 | test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | arr | test.cpp:5:25:5:28 | size |
 | test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | arr | test.cpp:5:25:5:28 | size |
 | test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | arr | test.cpp:9:26:9:29 | size |
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:5:25:5:28 | size | test.cpp:6:9:6:11 | arr | test.cpp:5:25:5:28 | size |
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:5:25:5:28 | size | test.cpp:6:9:6:11 | arr | test.cpp:5:25:5:28 | size |
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:5:25:5:28 | size | test.cpp:6:9:6:11 | arr | test.cpp:9:26:9:29 | size |
 | test.cpp:4:17:4:22 | call to malloc | test.cpp:5:25:5:28 | size | test.cpp:10:9:10:11 | arr | test.cpp:5:25:5:28 | size |
 | test.cpp:4:17:4:22 | call to malloc | test.cpp:5:25:5:28 | size | test.cpp:10:9:10:11 | arr | test.cpp:5:25:5:28 | size |
 | test.cpp:4:17:4:22 | call to malloc | test.cpp:5:25:5:28 | size | test.cpp:10:9:10:11 | arr | test.cpp:9:26:9:29 | size |
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:9:26:9:29 | size | test.cpp:6:9:6:11 | arr | test.cpp:9:26:9:29 | size |
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:9:26:9:29 | size | test.cpp:6:9:6:11 | arr | test.cpp:9:26:9:29 | size |
 | test.cpp:4:17:4:22 | call to malloc | test.cpp:9:26:9:29 | size | test.cpp:10:9:10:11 | arr | test.cpp:9:26:9:29 | size |
 | test.cpp:4:17:4:22 | call to malloc | test.cpp:9:26:9:29 | size | test.cpp:10:9:10:11 | arr | test.cpp:9:26:9:29 | size |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:59:13:59:13 | p | test.cpp:55:5:55:19 | Store |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:59:13:59:13 | p | test.cpp:55:16:55:19 | size |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:59:13:59:13 | p | test.cpp:55:16:55:19 | size |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:59:13:59:13 | p | test.cpp:56:20:56:23 | size |
 | test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | p | test.cpp:55:5:55:19 | Store |
 | test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | p | test.cpp:55:16:55:19 | size |
 | test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | p | test.cpp:55:16:55:19 | size |
 | test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | p | test.cpp:56:20:56:23 | size |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:56:20:56:23 | size | test.cpp:59:13:59:13 | p | test.cpp:56:20:56:23 | size |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:56:20:56:23 | size | test.cpp:59:13:59:13 | p | test.cpp:56:20:56:23 | size |
 | test.cpp:56:13:56:18 | call to malloc | test.cpp:56:20:56:23 | size | test.cpp:63:13:63:13 | p | test.cpp:56:20:56:23 | size |
 | test.cpp:56:13:56:18 | call to malloc | test.cpp:56:20:56:23 | size | test.cpp:63:13:63:13 | p | test.cpp:56:20:56:23 | size |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:58:29:58:32 | size | test.cpp:59:13:59:13 | p | test.cpp:58:29:58:32 | size |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:58:29:58:32 | size | test.cpp:59:13:59:13 | p | test.cpp:58:29:58:32 | size |
 | test.cpp:56:13:56:18 | call to malloc | test.cpp:58:29:58:32 | size | test.cpp:63:13:63:13 | p | test.cpp:58:29:58:32 | size |
 | test.cpp:56:13:56:18 | call to malloc | test.cpp:58:29:58:32 | size | test.cpp:63:13:63:13 | p | test.cpp:58:29:58:32 | size |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:62:30:62:33 | size | test.cpp:59:13:59:13 | p | test.cpp:62:30:62:33 | size |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:62:30:62:33 | size | test.cpp:59:13:59:13 | p | test.cpp:62:30:62:33 | size |
 | test.cpp:56:13:56:18 | call to malloc | test.cpp:62:30:62:33 | size | test.cpp:63:13:63:13 | p | test.cpp:62:30:62:33 | size |
 | test.cpp:56:13:56:18 | call to malloc | test.cpp:62:30:62:33 | size | test.cpp:63:13:63:13 | p | test.cpp:62:30:62:33 | size |
-| test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:79:14:79:14 | p | test.cpp:78:30:78:33 | size |
 | test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:83:14:83:14 | p | test.cpp:82:31:82:34 | size |
-| test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:89:14:89:14 | p | test.cpp:88:30:88:33 | size |
-| test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:89:14:89:14 | p | test.cpp:92:31:92:34 | size |
 | test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:93:14:93:14 | p | test.cpp:88:30:88:33 | size |
 | test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:93:14:93:14 | p | test.cpp:92:31:92:34 | size |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp

@@ -28,21 +28,21 @@ void test2(int size) {
     array_t arr = mk_array(size);
 
     for (int i = 0; i < arr.size; i++) {
-        arr.p[i] = 0;
+        arr.p[i] = 0; // GOOD
     }
 
     for (int i = 0; i <= arr.size; i++) {
-        arr.p[i] = i;
+        arr.p[i] = i; // BAD
     }
 }
 
 void test3_callee(array_t arr) {
     for (int i = 0; i < arr.size; i++) {
-        arr.p[i] = 0;
+        arr.p[i] = 0; // GOOD
     }
 
     for (int i = 0; i <= arr.size; i++) {
-        arr.p[i] = i;
+        arr.p[i] = i; // BAD
     }
 }
 
@@ -56,11 +56,11 @@ void test4(int size) {
     arr.p = malloc(size);
 
     for (int i = 0; i < arr.size; i++) {
-        arr.p[i] = 0;
+        arr.p[i] = 0; // GOOD
     }
 
     for (int i = 0; i <= arr.size; i++) {
-        arr.p[i] = i;
+        arr.p[i] = i; // BAD
     }
 }
 
@@ -76,21 +76,21 @@ void test5(int size) {
     array_t *arr = mk_array_p(size);
 
     for (int i = 0; i < arr->size; i++) {
-        arr->p[i] = 0;
+        arr->p[i] = 0; // GOOD
     }
 
     for (int i = 0; i <= arr->size; i++) {
-        arr->p[i] = i;
+        arr->p[i] = i; // BAD
     }
 }
 
 void test6_callee(array_t *arr) {
     for (int i = 0; i < arr->size; i++) {
-        arr->p[i] = 0;
+        arr->p[i] = 0; // GOOD
     }
 
     for (int i = 0; i <= arr->size; i++) {
-        arr->p[i] = i;
+        arr->p[i] = i; // BAD
     }
 }