C++: tests for constant-size off-by-one query

Author: rdmarsh2

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected

@@ -0,0 +1,8 @@
+| test.cpp:35:5:35:22 | PointerAdd: access to array | This pointer may have an off-by-1 error allowing it to overrun $@ | test.cpp:15:9:15:11 | buf | buf |
+| test.cpp:36:5:36:24 | PointerAdd: access to array | This pointer may have an off-by-2 error allowing it to overrun $@ | test.cpp:15:9:15:11 | buf | buf |
+| test.cpp:43:9:43:19 | PointerAdd: access to array | This pointer may have an off-by-1 error allowing it to overrun $@ | test.cpp:15:9:15:11 | buf | buf |
+| test.cpp:49:5:49:22 | PointerAdd: access to array | This pointer may have an off-by-1 error allowing it to overrun $@ | test.cpp:19:9:19:11 | buf | buf |
+| test.cpp:50:5:50:24 | PointerAdd: access to array | This pointer may have an off-by-2 error allowing it to overrun $@ | test.cpp:19:9:19:11 | buf | buf |
+| test.cpp:57:9:57:19 | PointerAdd: access to array | This pointer may have an off-by-1 error allowing it to overrun $@ | test.cpp:19:9:19:11 | buf | buf |
+| test.cpp:61:9:61:19 | PointerAdd: access to array | This pointer may have an off-by-2 error allowing it to overrun $@ | test.cpp:19:9:19:11 | buf | buf |
+| test.cpp:77:27:77:44 | PointerAdd: access to array | This pointer may have an off-by-1 error allowing it to overrun $@ | test.cpp:15:9:15:11 | buf | buf |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp

@@ -0,0 +1,80 @@
+#define MAX_SIZE 1024
+
+struct ZeroArray {
+    int size;
+    int buf[0];
+};
+
+struct OneArray {
+    int size;
+    int buf[1];
+};
+
+struct BigArray {
+    int size;
+    int buf[MAX_SIZE];
+};
+
+struct ArrayAndFields {
+    int buf[MAX_SIZE];
+    int field1;
+    int field2;
+};
+
+// tests for dynamic-size trailing arrays
+void testZeroArray(ZeroArray *arr) {
+    arr->buf[0] = 0;
+}
+
+void testOneArray(OneArray *arr) {
+    arr->buf[1] = 0;
+}
+
+void testBig(BigArray *arr) {
+    arr->buf[MAX_SIZE-1] = 0; // GOOD
+    arr->buf[MAX_SIZE] = 0;   // BAD
+    arr->buf[MAX_SIZE+1] = 0; // BAD
+
+    for(int i = 0; i < MAX_SIZE; i++) {
+        arr->buf[i] = 0; // GOOD
+    }
+    
+    for(int i = 0; i <= MAX_SIZE; i++) {
+        arr->buf[i] = 0; // BAD
+    }
+}
+
+void testFields(ArrayAndFields *arr) {
+    arr->buf[MAX_SIZE-1] = 0; // GOOD
+    arr->buf[MAX_SIZE] = 0;   // BAD?
+    arr->buf[MAX_SIZE+1] = 0; // BAD?
+
+    for(int i = 0; i < MAX_SIZE; i++) {
+        arr->buf[i] = 0; // GOOD
+    }
+    
+    for(int i = 0; i <= MAX_SIZE; i++) {
+        arr->buf[i] = 0; // BAD?
+    }
+
+    for(int i = 0; i < MAX_SIZE+2; i++) {
+        arr->buf[i] = 0; // BAD?
+    }
+    // is this different if it's a memcpy?
+}
+
+void assignThroughPointer(int *p) {
+    *p = 0; // ??? should the result go at a flow source?
+}
+
+void addToPointerAndAssign(int *p) {
+    p[MAX_SIZE-1] = 0; // GOOD
+    p[MAX_SIZE] = 0; // BAD
+}
+
+void testInterproc(BigArray *arr) {
+    assignThroughPointer(&arr->buf[MAX_SIZE-1]); // GOOD
+    assignThroughPointer(&arr->buf[MAX_SIZE]); // BAD
+
+    addToPointerAndAssign(arr->buf);
+}