C++: Add a test.

geoffw0 · geoffw0 · commit 2210344f4d93 · 2020-12-16T15:44:53.000Z
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected
@@ -0,0 +1,17 @@
+edges
+| test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 |
+nodes
+| test.cpp:13:33:13:37 | ... * ... | semmle.label | ... * ... |
+| test.cpp:15:31:15:35 | ... * ... | semmle.label | ... * ... |
+| test.cpp:19:34:19:38 | ... * ... | semmle.label | ... * ... |
+| test.cpp:22:17:22:21 | ... * ... | semmle.label | ... * ... |
+| test.cpp:23:33:23:37 | size1 | semmle.label | size1 |
+| test.cpp:30:27:30:31 | ... * ... | semmle.label | ... * ... |
+| test.cpp:31:27:31:31 | ... * ... | semmle.label | ... * ... |
+#select
+| test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | $@ in test | test.cpp:13:33:13:37 | ... * ... | here |
+| test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | $@ in test | test.cpp:15:31:15:35 | ... * ... | here |
+| test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | $@ in test | test.cpp:19:34:19:38 | ... * ... | here |
+| test.cpp:23:33:23:37 | size1 | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | $@ in test | test.cpp:22:17:22:21 | ... * ... | here |
+| test.cpp:30:27:30:31 | ... * ... | test.cpp:30:27:30:31 | ... * ... | test.cpp:30:27:30:31 | ... * ... | $@ in test | test.cpp:30:27:30:31 | ... * ... | here |
+| test.cpp:31:27:31:31 | ... * ... | test.cpp:31:27:31:31 | ... * ... | test.cpp:31:27:31:31 | ... * ... | $@ in test | test.cpp:31:27:31:31 | ... * ... | here |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/test.cpp
@@ -0,0 +1,32 @@
+
+typedef unsigned long size_t;
+void *malloc(size_t size);
+
+int getAnInt();
+
+void test()
+{
+	int x = getAnInt();
+	int y = getAnInt();
+
+	char *buffer1 = (char *)malloc(x + y); // GOOD
+	char *buffer2 = (char *)malloc(x * y); // BAD
+	int *buffer3 = (int *)malloc(x * sizeof(int)); // GOOD
+	int *buffer4 = (int *)malloc(x * y * sizeof(int)); // BAD
+
+	if ((x <= 1000) && (y <= 1000))
+	{
+		char *buffer5 = (char *)malloc(x * y); // GOOD [FALSE POSITIVE]
+	}
+
+	size_t size1 = x * y;
+	char *buffer5 = (char *)malloc(size1); // BAD
+
+	size_t size2 = x;
+	size2 *= y;
+	char *buffer6 = (char *)malloc(size2); // BAD [NOT DETECTED]
+
+	char *buffer7 = new char[x * 10]; // GOOD
+	char *buffer8 = new char[x * y]; // BAD
+	char *buffer9 = new char[x * x]; // BAD
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql`