Skip to content

CPP: Support crement operations in CWE-190 #105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Aug 29, 2018
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
CPP: Add support for += and -=.
  • Loading branch information
geoffw0 committed Aug 28, 2018
commit 229d0406bb42ef239e4bea8a154ce89e73f329a4
2 changes: 2 additions & 0 deletions cpp/ql/src/semmle/code/cpp/security/Overflow.qll
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
exists(LocalScopeVariable v | use.getTarget() = v |
// overflow possible if large
(e instanceof AddExpr and not guardedLesser(e, varUse(v))) or
(e instanceof AssignAddExpr and not guardedLesser(e, varUse(v))) or
(e instanceof IncrementOperation and not guardedLesser(e, varUse(v)) and v.getType().getUnspecifiedType() instanceof IntegralType) or
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we're supporting x + 1 and x++ then why not x += 1? Same for subtraction.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. FWIW I think some of these cases are naive, the right-hand-side of subtraction is ignored and most cases assume the other side of a binary arithmetic expression is (at least sometimes) positive. I'll make a JIRA ticket to look into improving this.

// overflow possible if large or small
(e instanceof MulExpr and
Expand All @@ -76,6 +77,7 @@ predicate missingGuardAgainstUnderflow(Operation e, VariableAccess use) {
exists(LocalScopeVariable v | use.getTarget() = v |
// underflow possible if use is left operand and small
(use = e.(SubExpr).getLeftOperand() and not guardedGreater(e, varUse(v))) or
(use = e.(AssignSubExpr).getLValue() and not guardedGreater(e, varUse(v))) or
// underflow possible if small
(e instanceof DecrementOperation and not guardedGreater(e, varUse(v)) and v.getType().getUnspecifiedType() instanceof IntegralType) or
// underflow possible if large or small
Expand Down
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy