CPP: Extend the StrcpyFunction model.

geoffw0 · geoffw0 · commit 4326699aa7bf · 2019-06-26T17:01:15.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Strcpy.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Strcpy.qll
@@ -12,8 +12,11 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction {
     this.hasName("_mbscpy") or
     this.hasName("wcscpy") or
     this.hasName("strncpy") or
+    this.hasName("_strncpy_l") or
     this.hasName("_mbsncpy") or
-    this.hasName("wcsncpy")
+    this.hasName("_mbsncpy_l") or
+    this.hasName("wcsncpy") or
+    this.hasName("_wcsncpy_l")
   }
   
   override predicate hasArrayInput(int bufParam) {
@@ -31,8 +34,11 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction {
   override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
     (
       this.hasName("strncpy") or
+      this.hasName("_strncpy_l") or
       this.hasName("_mbsncpy") or
-      this.hasName("wcsncpy")
+      this.hasName("_mbsncpy_l") or
+      this.hasName("wcsncpy") or
+      this.hasName("_wcsncpy_l")
     ) and
     bufParam = 0 and
     countParam = 2
@@ -76,8 +82,11 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction {
       // these may do only a partial copy of the input buffer to the output
       // buffer
       this.hasName("strncpy") or
+      this.hasName("_strncpy_l") or
       this.hasName("_mbsncpy") or
-      this.hasName("wcsncpy")
+      this.hasName("_mbsncpy_l") or
+      this.hasName("wcsncpy") or
+      this.hasName("_wcsncpy_l")
     ) and (
       input.isInParameter(2) or
       input.isInParameterPointer(1)
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/UsingStrcpyAsBoolean.expected b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/UsingStrcpyAsBoolean.expected
@@ -19,6 +19,9 @@
 | test.cpp:103:9:103:15 | call to strncpy | Return value of strncpy used directly in a conditional expression. |
 | test.cpp:107:9:107:15 | call to wcsncpy | Return value of wcsncpy used directly in a conditional expression. |
 | test.cpp:111:9:111:16 | call to _mbsncpy | Return value of _mbsncpy used directly in a conditional expression. |
+| test.cpp:115:9:115:18 | call to _strncpy_l | Return value of _strncpy_l used directly in a conditional expression. |
+| test.cpp:119:9:119:18 | call to _wcsncpy_l | Return value of _wcsncpy_l used directly in a conditional expression. |
+| test.cpp:123:9:123:18 | call to _mbsncpy_l | Return value of _mbsncpy_l used directly in a conditional expression. |
 | test.cpp:127:9:127:37 | ! ... | Return value of strncpy used in a logical operation. |
 | test.cpp:131:14:131:20 | call to strncpy | Return value of strncpy used as a Boolean. |
 | test.cpp:133:19:133:47 | ! ... | Return value of strncpy used in a logical operation. |
