C++: Add some CWE-190 tests I had lying around.

geoffw0 · geoffw0 · commit 22097a9e13cd · 2020-09-14T14:39:02.000+01:00
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.expected
@@ -4,6 +4,9 @@
 | test5.cpp:10:9:10:15 | call to strtoul | $@ flows to here and is used in an expression which might overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test5.cpp:17:6:17:27 | ... * ... | $@ flows to here and is used in an expression which might overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test5.cpp:19:6:19:13 | ... * ... | $@ flows to here and is used in an expression which might overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
+| test6.cpp:11:15:11:15 | s | $@ flows to here and is used in an expression which might overflow. | test6.cpp:39:23:39:24 | & ... | User-provided value |
+| test6.cpp:16:15:16:15 | s | $@ flows to here and is used in an expression which might overflow. | test6.cpp:39:23:39:24 | & ... | User-provided value |
+| test6.cpp:30:16:30:16 | s | $@ flows to here and is used in an expression which might overflow. | test6.cpp:39:23:39:24 | & ... | User-provided value |
 | test.c:14:15:14:35 | ... * ... | $@ flows to here and is used in an expression which might overflow. | test.c:11:29:11:32 | argv | User-provided value |
 | test.c:44:7:44:12 | ... -- | $@ flows to here and is used in an expression which might overflow negatively. | test.c:41:17:41:20 | argv | User-provided value |
 | test.c:54:7:54:12 | ... -- | $@ flows to here and is used in an expression which might overflow negatively. | test.c:51:17:51:20 | argv | User-provided value |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test6.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test6.cpp
@@ -0,0 +1,54 @@
+
+typedef unsigned short u16;
+typedef unsigned int u32;
+
+typedef struct {} FILE;
+int fscanf(FILE *stream, const char *format, ...);
+FILE *stdin;
+
+void docast1(u32 s)
+{
+	u16 c = (u16)s; // bad
+}
+
+void docast2(u32 s)
+{
+	u16 c = (u16)s; // bad
+}
+
+class MyBaseClass
+{
+public:
+	virtual void docast(u32 s) = 0;
+};
+
+class MyDerivedClass : public MyBaseClass
+{
+public:
+	void docast(u32 s)
+	{
+		u16 c = (u16)s; // bad
+	}
+};
+
+void test6()
+{
+    u32 s;
+
+	s = -1;
+	fscanf(stdin, "%hd", &s);
+
+	docast1(s);
+	{
+		void (*docast2_ptr)(u32) = &docast2;
+	
+		docast2_ptr(s);
+	}
+	{
+		MyBaseClass *mbc = new MyDerivedClass;
+
+		mbc->docast(s);
+
+		delete mbc;
+	}
+}
