Merge pull request #5973 from MathiasVP/more-uncontrolled-arith-improvements

jbj · web-flow · commit 2261085cfeed · 2021-06-01T10:44:29.000+02:00
C++: More `cpp/uncontrolled-arithmetic` improvements
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -19,7 +19,11 @@ import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import TaintedWithPath
 
 predicate isUnboundedRandCall(FunctionCall fc) {
-  fc.getTarget().getName() = "rand" and not bounded(fc)
+  exists(Function func | func = fc.getTarget() |
+    func.hasGlobalOrStdOrBslName("rand") and
+    not bounded(fc) and
+    func.getNumberOfParameters() = 0
+  )
 }
 
 /**
@@ -84,6 +88,10 @@ predicate bounded(Expr e) {
   boundedDiv(e, any(DivExpr div).getLeftOperand())
   or
   boundedDiv(e, any(AssignDivExpr div).getLValue())
+  or
+  boundedDiv(e, any(RShiftExpr shift).getLeftOperand())
+  or
+  boundedDiv(e, any(AssignRShiftExpr div).getLValue())
 }
 
 predicate isUnboundedRandCallOrParent(Expr e) {
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp
@@ -37,3 +37,14 @@ void randomTester2()
 		r = r + 100; // BAD
 	}
 }
+
+int rand(int min, int max);
+unsigned rand(int max);
+
+void test_with_bounded_randomness() {
+  int r = rand(0, 10);
+  r++; // GOOD
+
+	unsigned unsigned_r = rand(10);
+	unsigned_r++; // GOOD
+}
