From b59c2868cd75fc07a7a4489a2ed9173127b47753 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 13 Dec 2018 12:01:58 +0000
Subject: [PATCH] CPP: Add test cases for the macro logic and other details of
 ArithmeticUncontrolled.ql.

---
 .../ArithmeticUncontrolled.expected           | 13 ++-
 .../CWE/CWE-190/semmle/uncontrolled/test.c    | 81 ++++++++++++++++++-
 .../CWE/CWE-190/semmle/uncontrolled/test.cpp  | 39 +++++++++
 3 files changed, 130 insertions(+), 3 deletions(-)
 create mode 100644 cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
index 94c98956047..1244c9f1a05 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
@@ -1 +1,12 @@
-| test.c:13:17:13:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:10:13:10:16 | call to rand | Uncontrolled value |
+WARNING: Type MacroInvocationExpr has been deprecated and may be removed in future (C:\semmle\code\ql\cpp\ql\src\Security\CWE\CWE-190\ArithmeticUncontrolled.ql:22,13-32)
+| test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
+| test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
+| test.c:40:5:40:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:39:13:39:21 | ... % ... | Uncontrolled value |
+| test.c:40:5:40:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:39:13:39:22 | call to rand | Uncontrolled value |
+| test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
+| test.c:56:5:56:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:54:13:54:16 | call to rand | Uncontrolled value |
+| test.c:67:5:67:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:66:13:66:16 | call to rand | Uncontrolled value |
+| test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | ... ^ ... | Uncontrolled value |
+| test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
+| test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
+| test.cpp:37:7:37:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | Uncontrolled value |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c
index 4ae2e2d32a3..2b67b499a3c 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c
@@ -1,9 +1,17 @@
 // Semmle test case for rule ArithmeticUncontrolled.ql (Uncontrolled data in arithmetic expression).
 // Associated with CWE-190: Integer Overflow or Wraparound. http://cwe.mitre.org/data/definitions/190.html
 
-int rand();
+int rand(void);
 void trySlice(int start, int end);
 
+#define RAND() rand()
+#define RANDN(n) (rand() % n)
+#define RAND2() (rand() ^ rand())
+
+
+
+
+
 void randomTester() {
   int i;
   for (i = 0; i < 1000; i++) {
@@ -21,5 +29,74 @@ void randomTester() {
       trySlice(r, r+100);
     }
   }
-}
 
+  {
+    int r = RAND();
+    r += 100; // BAD: The return from RAND() is unbounded
+  }
+
+  {
+    int r = RANDN(100);
+    r += 100; // GOOD: The return from RANDN is bounded [FALSE POSITIVE]
+  }
+
+  {
+    int r = rand();
+    r += 100; // BAD
+  }
+  
+  {
+    int r = rand() / 10;
+    r += 100; // GOOD
+  }
+  
+  {
+    int r = rand();
+    r = r / 10;
+    r += 100; // GOOD [FALSE POSITIVE]
+  }
+  
+  {
+    int r = rand();
+    r /= 10;
+    r += 100; // GOOD
+  }
+  
+  {
+    int r = rand() & 0xFF;
+    r += 100; // GOOD [FALSE POSITIVE]
+  }
+
+  {
+    int r = rand() + 100; // BAD [NOT DETECTED]
+  }
+
+  {
+    int r = RAND2();
+
+    r = r - 100; // BAD
+  }
+
+  {
+    int r = (rand() ^ rand());
+
+    r = r - 100; // BAD [NOT DETECTED]
+  }
+
+  {
+    int r = RAND2() - 100; // BAD [NOT DETECTED]
+  }
+
+  {
+    int r = RAND();
+    int *ptr_r = &r;
+    *ptr_r -= 100; // BAD [NOT DETECTED]
+  }
+
+  {
+    int r = 0;
+    int *ptr_r = &r;
+    *ptr_r = RAND();
+    r -= 100; // BAD
+  }
+}
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp
new file mode 100644
index 00000000000..5d4d7e8c5c3
--- /dev/null
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp
@@ -0,0 +1,39 @@
+// Semmle test case for rule ArithmeticUncontrolled.ql (Uncontrolled data in arithmetic expression).
+// Associated with CWE-190: Integer Overflow or Wraparound. http://cwe.mitre.org/data/definitions/190.html
+
+int rand(void);
+
+int get_rand()
+{
+	return rand();
+}
+
+void get_rand2(int *dest)
+{
+	*dest = rand();
+}
+
+void get_rand3(int &dest)
+{
+	dest = rand();
+}
+
+void randomTester2()
+{
+	{
+		int r = get_rand();
+		r = r + 100; // BAD
+	}
+
+	{
+		int r;
+		get_rand2(&r);
+		r = r + 100; // BAD [NOT DETECTED]
+	}
+
+	{
+		int r;
+		get_rand3(r);
+		r = r + 100; // BAD
+	}
+}