C++: exclude end pointers in iterator-style loops

rdmarsh2 · rdmarsh2 · commit ca2694ae1df0 · 2022-09-01T17:42:19.000-04:00
diff --git a/cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql b/cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql
@@ -21,7 +21,6 @@ class RangeAnalysisIRConfig extends IRConfiguration {
   }
 }
 
-
 predicate bounded(Instruction i, Bound b, int delta, boolean upper) {
   // TODO: reason
   semBounded(getSemanticExpr(i), b, delta, upper, _)
@@ -31,9 +30,9 @@ class ArraySizeConfiguration extends ProductFlow::Configuration {
   ArraySizeConfiguration() { this = "ArraySizeConfiguration" }
 
   override predicate isSourcePair(DataFlow::Node source1, DataFlow::Node source2) {
-    exists(GVN sizeGVN |
-      source1.asConvertedExpr().(AllocationExpr).getSizeExpr() = sizeGVN.getAnExpr() and
-      source2.asConvertedExpr() = sizeGVN.getAnExpr()
+    exists(GVN sizeGvn |
+      source1.asConvertedExpr().(AllocationExpr).getSizeExpr() = sizeGvn.getAnExpr() and
+      source2.asConvertedExpr() = sizeGvn.getAnExpr()
     )
   }
 
@@ -43,7 +42,16 @@ class ArraySizeConfiguration extends ProductFlow::Configuration {
       pai.getLeft() = sink1.asInstruction() and
       bounded(index, b, delta, true) and
       sink2.asInstruction() = b.getInstruction() and
-      delta >= 0
+      (
+        delta = 0 and
+        exists(DataFlow::Node paiNode, DataFlow::Node derefNode |
+          DataFlow::localFlow(paiNode, derefNode) and
+          paiNode.asInstruction() = pai and
+          derefNode.asOperand() instanceof AddressOperand
+        )
+        or
+        delta >= 1
+      )
     )
   }
 }
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected
@@ -21,3 +21,23 @@
 | test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:83:14:83:14 | p | test.cpp:82:31:82:34 | size |
 | test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:93:14:93:14 | p | test.cpp:88:30:88:33 | size |
 | test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:93:14:93:14 | p | test.cpp:92:31:92:34 | size |
+| test.cpp:103:17:103:22 | call to malloc | test.cpp:103:24:103:27 | size | test.cpp:104:29:104:31 | arr | test.cpp:103:24:103:27 | size |
+| test.cpp:103:17:103:22 | call to malloc | test.cpp:103:24:103:27 | size | test.cpp:104:29:104:31 | arr | test.cpp:103:24:103:27 | size |
+| test.cpp:103:17:103:22 | call to malloc | test.cpp:103:24:103:27 | size | test.cpp:104:29:104:31 | arr | test.cpp:104:35:104:38 | size |
+| test.cpp:103:17:103:22 | call to malloc | test.cpp:103:24:103:27 | size | test.cpp:104:29:104:31 | arr | test.cpp:104:35:104:38 | size |
+| test.cpp:103:17:103:22 | call to malloc | test.cpp:103:24:103:27 | size | test.cpp:104:29:104:31 | arr | test.cpp:108:36:108:39 | size |
+| test.cpp:103:17:103:22 | call to malloc | test.cpp:103:24:103:27 | size | test.cpp:108:30:108:32 | arr | test.cpp:103:24:103:27 | size |
+| test.cpp:103:17:103:22 | call to malloc | test.cpp:103:24:103:27 | size | test.cpp:108:30:108:32 | arr | test.cpp:103:24:103:27 | size |
+| test.cpp:103:17:103:22 | call to malloc | test.cpp:103:24:103:27 | size | test.cpp:108:30:108:32 | arr | test.cpp:104:35:104:38 | size |
+| test.cpp:103:17:103:22 | call to malloc | test.cpp:103:24:103:27 | size | test.cpp:108:30:108:32 | arr | test.cpp:104:35:104:38 | size |
+| test.cpp:103:17:103:22 | call to malloc | test.cpp:103:24:103:27 | size | test.cpp:108:30:108:32 | arr | test.cpp:108:36:108:39 | size |
+| test.cpp:103:17:103:22 | call to malloc | test.cpp:104:35:104:38 | size | test.cpp:104:29:104:31 | arr | test.cpp:104:35:104:38 | size |
+| test.cpp:103:17:103:22 | call to malloc | test.cpp:104:35:104:38 | size | test.cpp:104:29:104:31 | arr | test.cpp:104:35:104:38 | size |
+| test.cpp:103:17:103:22 | call to malloc | test.cpp:104:35:104:38 | size | test.cpp:104:29:104:31 | arr | test.cpp:108:36:108:39 | size |
+| test.cpp:103:17:103:22 | call to malloc | test.cpp:104:35:104:38 | size | test.cpp:108:30:108:32 | arr | test.cpp:104:35:104:38 | size |
+| test.cpp:103:17:103:22 | call to malloc | test.cpp:104:35:104:38 | size | test.cpp:108:30:108:32 | arr | test.cpp:104:35:104:38 | size |
+| test.cpp:103:17:103:22 | call to malloc | test.cpp:104:35:104:38 | size | test.cpp:108:30:108:32 | arr | test.cpp:108:36:108:39 | size |
+| test.cpp:103:17:103:22 | call to malloc | test.cpp:108:36:108:39 | size | test.cpp:104:29:104:31 | arr | test.cpp:108:36:108:39 | size |
+| test.cpp:103:17:103:22 | call to malloc | test.cpp:108:36:108:39 | size | test.cpp:104:29:104:31 | arr | test.cpp:108:36:108:39 | size |
+| test.cpp:103:17:103:22 | call to malloc | test.cpp:108:36:108:39 | size | test.cpp:108:30:108:32 | arr | test.cpp:108:36:108:39 | size |
+| test.cpp:103:17:103:22 | call to malloc | test.cpp:108:36:108:39 | size | test.cpp:108:30:108:32 | arr | test.cpp:108:36:108:39 | size |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp
@@ -3,11 +3,11 @@ char *malloc(int size);
 void test1(int size) {
     char *arr = malloc(size);
     for (int i = 0; i < size; i++) {
-        arr[i] = 0;
+        arr[i] = 0; // GOOD
     }
 
     for (int i = 0; i <= size; i++) {
-        arr[i] = i;
+        arr[i] = i; // BAD
     }
 }
 
@@ -32,7 +32,7 @@ void test2(int size) {
     }
 
     for (int i = 0; i <= arr.size; i++) {
-        arr.p[i] = i; // BAD
+        arr.p[i] = i; // BAD [NOT DETECTED]
     }
 }
 
@@ -42,7 +42,7 @@ void test3_callee(array_t arr) {
     }
 
     for (int i = 0; i <= arr.size; i++) {
-        arr.p[i] = i; // BAD
+        arr.p[i] = i; // BAD [NOT DETECTED]
     }
 }
 
@@ -96,4 +96,15 @@ void test6_callee(array_t *arr) {
 
 void test6(int size) {
     test6_callee(mk_array_p(size));
-}
+}
+
+void test7(int size) {
+    char *arr = malloc(size);
+    for (char *p = arr; p < arr + size; p++) {
+        *p = 0; // GOOD
+    }
+
+    for (char *p = arr; p <= arr + size; p++) {
+        *p = 0; // BAD [NOT DETECTED]
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,6 @@ class RangeAnalysisIRConfig extends IRConfiguration {`
`21`	`21`	`}`
`22`	`22`	`}`
`23`	`23`
`24`		`-`
`25`	`24`	`predicate bounded(Instruction i, Bound b, int delta, boolean upper) {`
`26`	`25`	`// TODO: reason`
`27`	`26`	`semBounded(getSemanticExpr(i), b, delta, upper, _)`
`@@ -31,9 +30,9 @@ class ArraySizeConfiguration extends ProductFlow::Configuration {`
`31`	`30`	`ArraySizeConfiguration() { this = "ArraySizeConfiguration" }`
`32`	`31`
`33`	`32`	`override predicate isSourcePair(DataFlow::Node source1, DataFlow::Node source2) {`
`34`		`- exists(GVN sizeGVN \|`
`35`		`- source1.asConvertedExpr().(AllocationExpr).getSizeExpr() = sizeGVN.getAnExpr() and`
`36`		`- source2.asConvertedExpr() = sizeGVN.getAnExpr()`
	`33`	`+ exists(GVN sizeGvn \|`
	`34`	`+ source1.asConvertedExpr().(AllocationExpr).getSizeExpr() = sizeGvn.getAnExpr() and`
	`35`	`+ source2.asConvertedExpr() = sizeGvn.getAnExpr()`
`37`	`36`	`)`
`38`	`37`	`}`
`39`	`38`
`@@ -43,7 +42,16 @@ class ArraySizeConfiguration extends ProductFlow::Configuration {`
`43`	`42`	`pai.getLeft() = sink1.asInstruction() and`
`44`	`43`	`bounded(index, b, delta, true) and`
`45`	`44`	`sink2.asInstruction() = b.getInstruction() and`
`46`		`- delta >= 0`
	`45`	`+ (`
	`46`	`+ delta = 0 and`
	`47`	`+ exists(DataFlow::Node paiNode, DataFlow::Node derefNode \|`
	`48`	`+ DataFlow::localFlow(paiNode, derefNode) and`
	`49`	`+ paiNode.asInstruction() = pai and`
	`50`	`+ derefNode.asOperand() instanceof AddressOperand`
	`51`	`+ )`
	`52`	`+ or`
	`53`	`+ delta >= 1`
	`54`	`+ )`
`47`	`55`	`)`
`48`	`56`	`}`
`49`	`57`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3,11 +3,11 @@ char *malloc(int size);`
`3`	`3`	`void test1(int size) {`
`4`	`4`	`char *arr = malloc(size);`
`5`	`5`	`for (int i = 0; i < size; i++) {`
`6`		`- arr[i] = 0;`
	`6`	`+ arr[i] = 0; // GOOD`
`7`	`7`	`}`
`8`	`8`
`9`	`9`	`for (int i = 0; i <= size; i++) {`
`10`		`- arr[i] = i;`
	`10`	`+ arr[i] = i; // BAD`
`11`	`11`	`}`
`12`	`12`	`}`
`13`	`13`
`@@ -32,7 +32,7 @@ void test2(int size) {`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`for (int i = 0; i <= arr.size; i++) {`
`35`		`- arr.p[i] = i; // BAD`
	`35`	`+ arr.p[i] = i; // BAD [NOT DETECTED]`
`36`	`36`	`}`
`37`	`37`	`}`
`38`	`38`
`@@ -42,7 +42,7 @@ void test3_callee(array_t arr) {`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`for (int i = 0; i <= arr.size; i++) {`
`45`		`- arr.p[i] = i; // BAD`
	`45`	`+ arr.p[i] = i; // BAD [NOT DETECTED]`
`46`	`46`	`}`
`47`	`47`	`}`
`48`	`48`
`@@ -96,4 +96,15 @@ void test6_callee(array_t *arr) {`
`96`	`96`
`97`	`97`	`void test6(int size) {`
`98`	`98`	`test6_callee(mk_array_p(size));`
`99`		`-}`
	`99`	`+}`
	`100`	`+`
	`101`	`+void test7(int size) {`
	`102`	`+ char *arr = malloc(size);`
	`103`	`+ for (char *p = arr; p < arr + size; p++) {`
	`104`	`+ *p = 0; // GOOD`
	`105`	`+ }`
	`106`	`+`
	`107`	`+ for (char *p = arr; p <= arr + size; p++) {`
	`108`	`+ *p = 0; // BAD [NOT DETECTED]`
	`109`	`+ }`
	`110`	`+}`