From d2fd986f40ce18381335988f636a654ca2db2256 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 23 Aug 2018 10:30:22 +0100
Subject: [PATCH 1/8] CPP: Support crement operations in CWE-190.

---
 .../Security/CWE/CWE-190/ArithmeticTainted.ql    |  2 +-
 .../CWE/CWE-190/ArithmeticUncontrolled.ql        |  2 +-
 .../CWE/CWE-190/ArithmeticWithExtremeValues.ql   |  2 +-
 cpp/ql/src/semmle/code/cpp/security/Overflow.qll | 16 +++++++++-------
 4 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
index 16382cb86a77..647d96e85c38 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
@@ -21,7 +21,7 @@ predicate taintedVarAccess(Expr origin, VariableAccess va) {
   tainted(origin, va)
 }
 
-from Expr origin, BinaryArithmeticOperation op, VariableAccess va, string effect
+from Expr origin, Operation op, VariableAccess va, string effect
 where taintedVarAccess(origin, va)
   and op.getAnOperand() = va
   and
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
index a6d03dfe2d58..1e47e2cd9956 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -46,7 +46,7 @@ predicate guardedByAssignDiv(Expr origin) {
          tainted(origin, va) and div.getLValue() = va)
 }
 
-from Expr origin, BinaryArithmeticOperation op, VariableAccess va, string effect
+from Expr origin, Operation op, VariableAccess va, string effect
 where taintedVarAccess(origin, va)
   and op.getAnOperand() = va
   and
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
index f218328a19ea..17a2089f00b0 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
@@ -45,7 +45,7 @@ predicate taintedVarAccess(Expr origin, VariableAccess va) {
   tainted(origin, va)
 }
 
-from Expr origin, BinaryArithmeticOperation op, VariableAccess va, string effect
+from Expr origin, Operation op, VariableAccess va, string effect
 where taintedVarAccess(origin, va)
   and op.getAnOperand() = va
   and
diff --git a/cpp/ql/src/semmle/code/cpp/security/Overflow.qll b/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
index 72a9126d77fb..f6661b2013f3 100644
--- a/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
@@ -4,7 +4,7 @@ import semmle.code.cpp.controlflow.Dominance
 /* Guarding */
 
 /** is the size of this use guarded using 'abs'? */
-predicate guardedAbs(BinaryArithmeticOperation e, Expr use) {
+predicate guardedAbs(Operation e, Expr use) {
   exists(FunctionCall fc |
     fc.getTarget().getName() = "abs" |
     fc.getArgument(0).getAChild*() = use
@@ -13,7 +13,7 @@ predicate guardedAbs(BinaryArithmeticOperation e, Expr use) {
 }
 
 /** is the size of this use guarded to be less than something? */
-predicate guardedLesser(BinaryArithmeticOperation e, Expr use) {
+predicate guardedLesser(Operation e, Expr use) {
   exists(IfStmt c, RelationalOperation guard |
     use = guard.getLesserOperand().getAChild*() and
     guard = c.getControllingExpr().getAChild*() and
@@ -33,7 +33,7 @@ predicate guardedLesser(BinaryArithmeticOperation e, Expr use) {
 }
 
 /** is the size of this use guarded to be greater than something? */
-predicate guardedGreater(BinaryArithmeticOperation e, Expr use) {
+predicate guardedGreater(Operation e, Expr use) {
   exists(IfStmt c, RelationalOperation guard |
     use = guard.getGreaterOperand().getAChild*() and
     guard = c.getControllingExpr().getAChild*() and
@@ -58,11 +58,12 @@ VariableAccess varUse(LocalScopeVariable v) {
 }
 
 /** is e not guarded against overflow by use? */
-predicate missingGuardAgainstOverflow(BinaryArithmeticOperation e, VariableAccess use) {
+predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
   use = e.getAnOperand() and
   exists(LocalScopeVariable v | use.getTarget() = v |
     // overflow possible if large
     (e instanceof AddExpr and not guardedLesser(e, varUse(v))) or
+    (e instanceof IncrementOperation and not guardedLesser(e, varUse(v))) or     
     // overflow possible if large or small
     (e instanceof MulExpr and
       not (guardedLesser(e, varUse(v)) and guardedGreater(e, varUse(v))))
@@ -70,12 +71,13 @@ predicate missingGuardAgainstOverflow(BinaryArithmeticOperation e, VariableAcces
 }
 
 /** is e not guarded against underflow by use? */
-predicate missingGuardAgainstUnderflow(BinaryArithmeticOperation e, VariableAccess use) {
+predicate missingGuardAgainstUnderflow(Operation e, VariableAccess use) {
   use = e.getAnOperand() and
   exists(LocalScopeVariable v | use.getTarget() = v |
     // underflow possible if use is left operand and small
-    (e instanceof SubExpr and
-      (use = e.getLeftOperand() and not guardedGreater(e, varUse(v)))) or
+    (use = e.(SubExpr).getLeftOperand() and not guardedGreater(e, varUse(v))) or
+    // underflow possible if small
+    (e instanceof DecrementOperation and not guardedGreater(e, varUse(v))) or
     // underflow possible if large or small
     (e instanceof MulExpr and
       not (guardedLesser(e, varUse(v)) and guardedGreater(e, varUse(v))))

From a125e3ed860991fb49a77056e7f2c36e5a66d873 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 23 Aug 2018 10:43:09 +0100
Subject: [PATCH 2/8] CPP: Fix crement operations on pointers.

---
 cpp/ql/src/semmle/code/cpp/security/Overflow.qll | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/security/Overflow.qll b/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
index f6661b2013f3..7b3e8fd6f2aa 100644
--- a/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
@@ -63,7 +63,7 @@ predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
   exists(LocalScopeVariable v | use.getTarget() = v |
     // overflow possible if large
     (e instanceof AddExpr and not guardedLesser(e, varUse(v))) or
-    (e instanceof IncrementOperation and not guardedLesser(e, varUse(v))) or     
+    (e instanceof IncrementOperation and not guardedLesser(e, varUse(v)) and v.getType().getUnspecifiedType() instanceof IntegralType) or     
     // overflow possible if large or small
     (e instanceof MulExpr and
       not (guardedLesser(e, varUse(v)) and guardedGreater(e, varUse(v))))
@@ -77,7 +77,7 @@ predicate missingGuardAgainstUnderflow(Operation e, VariableAccess use) {
     // underflow possible if use is left operand and small
     (use = e.(SubExpr).getLeftOperand() and not guardedGreater(e, varUse(v))) or
     // underflow possible if small
-    (e instanceof DecrementOperation and not guardedGreater(e, varUse(v))) or
+    (e instanceof DecrementOperation and not guardedGreater(e, varUse(v)) and v.getType().getUnspecifiedType() instanceof IntegralType) or
     // underflow possible if large or small
     (e instanceof MulExpr and
       not (guardedLesser(e, varUse(v)) and guardedGreater(e, varUse(v))))

From 87fb447c4b7f0ccb05710c30636a9b46857122d1 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 23 Aug 2018 10:47:45 +0100
Subject: [PATCH 3/8] CPP: Improve the logic in ArithmeticWithExtremeValues.ql.

---
 .../CWE/CWE-190/ArithmeticWithExtremeValues.ql         | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
index 17a2089f00b0..6292ffa485ba 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
@@ -35,18 +35,18 @@ predicate isMinValue(MacroInvocationExpr mie) {
 
 class SecurityOptionsArith extends SecurityOptions {
   override predicate isUserInput(Expr expr, string cause) {
-    (isMaxValue(expr) and cause = "max value") or
-    (isMinValue(expr) and cause = "min value")
+    (isMaxValue(expr) and cause = "overflow") or
+    (isMinValue(expr) and cause = "underflow")
   }
 }
 
-predicate taintedVarAccess(Expr origin, VariableAccess va) {
-  isUserInput(origin, _) and
+predicate taintedVarAccess(Expr origin, VariableAccess va, string cause) {
+  isUserInput(origin, cause) and
   tainted(origin, va)
 }
 
 from Expr origin, Operation op, VariableAccess va, string effect
-where taintedVarAccess(origin, va)
+where taintedVarAccess(origin, va, effect)
   and op.getAnOperand() = va
   and
   (

From eaf4c6e3190ffa18d7ca0d19b4e12d5eaa787398 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 24 Aug 2018 16:23:44 +0100
Subject: [PATCH 4/8] CPP: Change notes.

---
 change-notes/1.18/analysis-cpp.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/change-notes/1.18/analysis-cpp.md b/change-notes/1.18/analysis-cpp.md
index 5fff08db08e3..012c687cf214 100644
--- a/change-notes/1.18/analysis-cpp.md
+++ b/change-notes/1.18/analysis-cpp.md
@@ -26,7 +26,11 @@
 | [Variable used in its own initializer] | Fewer false positive results | Results where a macro is used to indicate deliberate uninitialization are now excluded |
 | [Assignment where comparison was intended] | Fewer false positive results | Results are no longer reported if the variable is not yet defined. |
 | [Comparison where assignment was intended] | More correct results | "This query now includes results where an overloaded `operator==` is used in the wrong context. |
-
+| [User-controlled data in arithmetic expression] | More correct results | Crement operations are now understood as arithmetic operations in this query. |
+| [Uncontrolled data in arithmetic expression] | More correct results | Crement operations are now understood as arithmetic operations in this query. |
+| [Use of extreme values in arithmetic expression] | More correct results | Crement operations are now understood as arithmetic operations in this query. |
+| [Use of extreme values in arithmetic expression] | Fewer false positives | The query now considers whether a particular expression might cause an overflow of minimum or maximum values only. |
+ 
 ## Changes to QL libraries
 
 * *Series of bullet points*

From 0bd8d9a113c881011faf99846e7e5bc3e3090a2b Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 28 Aug 2018 10:12:22 +0100
Subject: [PATCH 5/8] CPP: Spell out increment / decrement in change note.

---
 change-notes/1.18/analysis-cpp.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/change-notes/1.18/analysis-cpp.md b/change-notes/1.18/analysis-cpp.md
index 012c687cf214..d42bbb25acbf 100644
--- a/change-notes/1.18/analysis-cpp.md
+++ b/change-notes/1.18/analysis-cpp.md
@@ -26,9 +26,9 @@
 | [Variable used in its own initializer] | Fewer false positive results | Results where a macro is used to indicate deliberate uninitialization are now excluded |
 | [Assignment where comparison was intended] | Fewer false positive results | Results are no longer reported if the variable is not yet defined. |
 | [Comparison where assignment was intended] | More correct results | "This query now includes results where an overloaded `operator==` is used in the wrong context. |
-| [User-controlled data in arithmetic expression] | More correct results | Crement operations are now understood as arithmetic operations in this query. |
-| [Uncontrolled data in arithmetic expression] | More correct results | Crement operations are now understood as arithmetic operations in this query. |
-| [Use of extreme values in arithmetic expression] | More correct results | Crement operations are now understood as arithmetic operations in this query. |
+| [User-controlled data in arithmetic expression] | More correct results | Increment / decrement operations are now understood as arithmetic operations in this query. |
+| [Uncontrolled data in arithmetic expression] | More correct results | Increment / decrement operations are now understood as arithmetic operations in this query. |
+| [Use of extreme values in arithmetic expression] | More correct results | Increment / decrement operations are now understood as arithmetic operations in this query. |
 | [Use of extreme values in arithmetic expression] | Fewer false positives | The query now considers whether a particular expression might cause an overflow of minimum or maximum values only. |
  
 ## Changes to QL libraries

From 229d0406bb42ef239e4bea8a154ce89e73f329a4 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 28 Aug 2018 10:42:09 +0100
Subject: [PATCH 6/8] CPP: Add support for += and -=.

---
 cpp/ql/src/semmle/code/cpp/security/Overflow.qll | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cpp/ql/src/semmle/code/cpp/security/Overflow.qll b/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
index 7b3e8fd6f2aa..5e3a6cc8b80f 100644
--- a/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
@@ -63,6 +63,7 @@ predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
   exists(LocalScopeVariable v | use.getTarget() = v |
     // overflow possible if large
     (e instanceof AddExpr and not guardedLesser(e, varUse(v))) or
+    (e instanceof AssignAddExpr and not guardedLesser(e, varUse(v))) or
     (e instanceof IncrementOperation and not guardedLesser(e, varUse(v)) and v.getType().getUnspecifiedType() instanceof IntegralType) or     
     // overflow possible if large or small
     (e instanceof MulExpr and
@@ -76,6 +77,7 @@ predicate missingGuardAgainstUnderflow(Operation e, VariableAccess use) {
   exists(LocalScopeVariable v | use.getTarget() = v |
     // underflow possible if use is left operand and small
     (use = e.(SubExpr).getLeftOperand() and not guardedGreater(e, varUse(v))) or
+    (use = e.(AssignSubExpr).getLValue() and not guardedGreater(e, varUse(v))) or
     // underflow possible if small
     (e instanceof DecrementOperation and not guardedGreater(e, varUse(v)) and v.getType().getUnspecifiedType() instanceof IntegralType) or
     // underflow possible if large or small

From c82ab3866fbca2579c695f1ffc8852f96fba742f Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 28 Aug 2018 10:44:17 +0100
Subject: [PATCH 7/8] CPP: Extend change note.

---
 change-notes/1.18/analysis-cpp.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/change-notes/1.18/analysis-cpp.md b/change-notes/1.18/analysis-cpp.md
index d42bbb25acbf..054e1ca8370d 100644
--- a/change-notes/1.18/analysis-cpp.md
+++ b/change-notes/1.18/analysis-cpp.md
@@ -26,9 +26,9 @@
 | [Variable used in its own initializer] | Fewer false positive results | Results where a macro is used to indicate deliberate uninitialization are now excluded |
 | [Assignment where comparison was intended] | Fewer false positive results | Results are no longer reported if the variable is not yet defined. |
 | [Comparison where assignment was intended] | More correct results | "This query now includes results where an overloaded `operator==` is used in the wrong context. |
-| [User-controlled data in arithmetic expression] | More correct results | Increment / decrement operations are now understood as arithmetic operations in this query. |
-| [Uncontrolled data in arithmetic expression] | More correct results | Increment / decrement operations are now understood as arithmetic operations in this query. |
-| [Use of extreme values in arithmetic expression] | More correct results | Increment / decrement operations are now understood as arithmetic operations in this query. |
+| [User-controlled data in arithmetic expression] | More correct results | Increment / decrement / addition assignment / subtraction assignment operations are now understood as arithmetic operations in this query. |
+| [Uncontrolled data in arithmetic expression] | More correct results | Increment / decrement / addition assignment / subtraction assignment operations are now understood as arithmetic operations in this query. |
+| [Use of extreme values in arithmetic expression] | More correct results | Increment / decrement / addition assignment / subtraction assignment operations are now understood as arithmetic operations in this query. |
 | [Use of extreme values in arithmetic expression] | Fewer false positives | The query now considers whether a particular expression might cause an overflow of minimum or maximum values only. |
  
 ## Changes to QL libraries

From 0d6373924c5f359c665e4f57e1fe21fdec4ed2ca Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 28 Aug 2018 14:05:56 +0100
Subject: [PATCH 8/8] CPP: De-conflate cause and effect strings.

---
 .../CWE-190/ArithmeticWithExtremeValues.ql    | 21 ++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
index 6292ffa485ba..b49da844767c 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
@@ -35,8 +35,8 @@ predicate isMinValue(MacroInvocationExpr mie) {
 
 class SecurityOptionsArith extends SecurityOptions {
   override predicate isUserInput(Expr expr, string cause) {
-    (isMaxValue(expr) and cause = "overflow") or
-    (isMinValue(expr) and cause = "underflow")
+    (isMaxValue(expr) and cause = "max value") or
+    (isMinValue(expr) and cause = "min value")
   }
 }
 
@@ -45,13 +45,24 @@ predicate taintedVarAccess(Expr origin, VariableAccess va, string cause) {
   tainted(origin, va)
 }
 
-from Expr origin, Operation op, VariableAccess va, string effect
-where taintedVarAccess(origin, va, effect)
+predicate causeEffectCorrespond(string cause, string effect) {
+  (
+    cause = "max value" and
+    effect = "overflow"
+  ) or (
+    cause = "min value" and
+    effect = "underflow"
+  )
+}
+
+from Expr origin, Operation op, VariableAccess va, string cause, string effect
+where taintedVarAccess(origin, va, cause)
   and op.getAnOperand() = va
   and
   (
     (missingGuardAgainstUnderflow(op, va) and effect = "underflow") or
     (missingGuardAgainstOverflow(op, va) and effect = "overflow")
-  )
+  ) and
+  causeEffectCorrespond(cause, effect)
 select va, "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
   origin, "Extreme value"

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/github/codeql/pull/105.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/github/codeql/pull/105.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/github/codeql/pull/105.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/github/codeql/pull/105.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>