Merge pull request #4990 from geoffw0/cpp401b

MathiasVP · web-flow · commit 7bc461aeb273 · 2021-01-22T09:51:10.000+01:00
C++: Further improvements to experimental query cpp/memory-leak-on-failed-call-to-realloc
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql b/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
@@ -12,6 +12,7 @@
  */
 
 import cpp
+import semmle.code.cpp.controlflow.Guards
 
 /**
  * A function call that potentially does not return (such as `exit`).
@@ -48,7 +49,11 @@ class ReallocCallLeak extends FunctionCall {
    * example a call to `exit()`.
    */
   predicate mayHandleByTermination() {
-    this.(ControlFlowNode).getASuccessor*() instanceof CallMayNotReturn
+    exists(GuardCondition guard, CallMayNotReturn exit |
+      this.(ControlFlowNode).getASuccessor*() = guard and
+      guard.getAChild*() = v.getAnAccess() and
+      guard.controls(exit.getBasicBlock(), _)
+    )
   }
 }
 
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/MemoryLeakOnFailedCallToRealloc.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/MemoryLeakOnFailedCallToRealloc.expected
@@ -4,3 +4,5 @@
 | test.c:186:29:186:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
 | test.c:282:29:282:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
 | test.c:299:26:299:32 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
+| test.c:328:29:328:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
+| test.c:342:29:342:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/test.c
@@ -319,3 +319,28 @@ unsigned char *noBadResize_4_1(unsigned char *buffer, size_t currentSize, size_t
 
 	return buffer;
 }
+
+unsigned char * badResize_5_2(unsigned char *buffer, size_t currentSize, size_t newSize, int cond)
+{
+	// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
+	if (currentSize < newSize)
+	{
+		buffer = (unsigned char *)realloc(buffer, newSize);
+	}
+	if (cond)
+	{
+		abort(); // irrelevant
+	}
+	return buffer;
+}
+
+unsigned char * badResize_5_1(unsigned char *buffer, size_t currentSize, size_t newSize, int cond)
+{
+	// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
+	if (currentSize < newSize)
+	{
+		buffer = (unsigned char *)realloc(buffer, newSize);
+		assert(cond); // irrelevant
+	}
+	return buffer;
+}
