CPP: Expand the test cases covering PotentialBufferOverflow.ql.

geoffw0 · geoffw0 · commit 7194121eae70 · 2019-02-27T13:09:09.000Z
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/PotentialBufferOverflow.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/PotentialBufferOverflow.expected
@@ -2,3 +2,4 @@
 | tests.cpp:259:2:259:8 | call to sprintf | This conversion may yield a string of length 17, which exceeds the allocated buffer size of 10 |
 | tests.cpp:272:2:272:8 | call to sprintf | This conversion may yield a string of length 9, which exceeds the allocated buffer size of 8 |
 | tests.cpp:273:2:273:8 | call to sprintf | This conversion may yield a string of length 9, which exceeds the allocated buffer size of 8 |
+| tests.cpp:287:2:287:8 | call to sprintf | This conversion may yield a string of length 318, which exceeds the allocated buffer size of 64 |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp
@@ -272,3 +272,20 @@ void test4()
 	sprintf(buffer8, "12345678"); // BAD: buffer overflow
 	sprintf(buffer8_ptr, "12345678"); // BAD: buffer overflow
 }
+
+typedef void *va_list;
+int vsprintf(char *s, const char *format, va_list arg);
+
+void test5(va_list args, float f)
+{
+	char buffer10[10], buffer64[64];
+	char *buffer4 = new char[4 * sizeof(char)];
+
+	vsprintf(buffer10, "123456789", args); // GOOD
+	vsprintf(buffer10, "1234567890", args); // BAD: buffer overflow [NOT DETECTED]
+
+	sprintf(buffer64, "%f", f); // BAD: potential buffer overflow
+
+	vsprintf(buffer4, "123", args); // GOOD
+	vsprintf(buffer4, "1234", args); // BAD: buffer overflow [NOT DETECTED]
+}
