From 59d9c6e3f2a3dee63ab325414ffe3ad3750ec4cc Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 29 Jun 2023 16:50:57 +0100 Subject: [PATCH 1/2] C++: Use the pruning stage in the product-flow configuration. --- cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql b/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql index a9af2d08f51..1aa7551f63e 100644 --- a/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql +++ b/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql @@ -120,6 +120,10 @@ module ValidState { predicate isBarrier(DataFlow::Node node, FlowState state) { none() } + predicate isBarrierOut(DataFlow::Node node) { + node = any(DataFlow::SsaPhiNode phi).getAnInput(true) + } + predicate isAdditionalFlowStep( DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2 ) { @@ -233,7 +237,8 @@ module StringSizeConfig implements ProductFlow::StateConfigSig { // we use `state2` to remember that there was an offset (in this case an offset of `1`) added // to the size of the allocation. This state is then checked in `isSinkPair`. exists(state1) and - hasSize(bufSource.asConvertedExpr(), sizeSource, state2) + hasSize(bufSource.asConvertedExpr(), sizeSource, state2) and + validState(sizeSource, state2) } predicate isSinkPair( From 97916407c2037564c921ed9762250ad784ef5052 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 29 Jun 2023 16:51:08 +0100 Subject: [PATCH 2/2] C++: Accept test changes. --- .../CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected | 6 ------ 1 file changed, 6 deletions(-) diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected index e1665c23315..a5e2ae3b0b6 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected @@ -75,7 +75,6 @@ edges | test.cpp:214:24:214:24 | p | test.cpp:216:10:216:10 | p | | test.cpp:220:43:220:48 | call to malloc | test.cpp:222:15:222:20 | buffer | | test.cpp:222:15:222:20 | buffer | test.cpp:214:24:214:24 | p | -| test.cpp:228:43:228:48 | call to malloc | test.cpp:232:10:232:15 | buffer | | test.cpp:235:40:235:45 | buffer | test.cpp:236:5:236:26 | ... = ... | | test.cpp:236:5:236:26 | ... = ... | test.cpp:236:12:236:17 | p_str indirection [post update] [string] | | test.cpp:241:27:241:32 | call to malloc | test.cpp:242:22:242:27 | buffer | @@ -86,7 +85,6 @@ edges | test.cpp:243:12:243:14 | str indirection [string] | test.cpp:243:16:243:21 | string indirection | | test.cpp:243:16:243:21 | string indirection | test.cpp:243:12:243:21 | string | | test.cpp:249:20:249:27 | call to my_alloc | test.cpp:250:12:250:12 | p | -| test.cpp:256:17:256:22 | call to malloc | test.cpp:257:12:257:12 | p | | test.cpp:262:22:262:27 | call to malloc | test.cpp:266:12:266:12 | p | | test.cpp:264:20:264:25 | call to malloc | test.cpp:266:12:266:12 | p | nodes @@ -155,8 +153,6 @@ nodes | test.cpp:216:10:216:10 | p | semmle.label | p | | test.cpp:220:43:220:48 | call to malloc | semmle.label | call to malloc | | test.cpp:222:15:222:20 | buffer | semmle.label | buffer | -| test.cpp:228:43:228:48 | call to malloc | semmle.label | call to malloc | -| test.cpp:232:10:232:15 | buffer | semmle.label | buffer | | test.cpp:235:40:235:45 | buffer | semmle.label | buffer | | test.cpp:236:5:236:26 | ... = ... | semmle.label | ... = ... | | test.cpp:236:12:236:17 | p_str indirection [post update] [string] | semmle.label | p_str indirection [post update] [string] | @@ -168,8 +164,6 @@ nodes | test.cpp:243:16:243:21 | string indirection | semmle.label | string indirection | | test.cpp:249:20:249:27 | call to my_alloc | semmle.label | call to my_alloc | | test.cpp:250:12:250:12 | p | semmle.label | p | -| test.cpp:256:17:256:22 | call to malloc | semmle.label | call to malloc | -| test.cpp:257:12:257:12 | p | semmle.label | p | | test.cpp:262:22:262:27 | call to malloc | semmle.label | call to malloc | | test.cpp:264:20:264:25 | call to malloc | semmle.label | call to malloc | | test.cpp:266:12:266:12 | p | semmle.label | p |