File tree Expand file tree Collapse file tree 1 file changed +4
-3
lines changed
cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference Expand file tree Collapse file tree 1 file changed +4
-3
lines changed Original file line number Diff line number Diff line change 77 * ```cpp
88 * 1. char* base = (char*)malloc(size);
99 * 2. char* end = base + size;
10- * 3. for(int *p = base; p <= end; p++) {
10+ * 3. for(char *p = base; p <= end; p++) {
1111 * 4. use(*p); // BUG: Should have been bounded by `p < end`.
1212 * 5. }
1313 * ```
1414 * this file identifies the flow from `base + size` to `end`. We call `base + size` the "dereference source" and `end`
15- * the "dereference sink" (even though `end` is not actually dereferenced - it will be used to find the correct
16- * dereference eventually).
15+ * the "dereference sink" (even though `end` is not actually dereferenced we will use this term because we will perform
16+ * dataflow to find a use of a pointer `x` such that `x <= end` which is dereferenced. In the above example, `x` is `p`
17+ * on line 4).
1718 *
1819 * Merely _constructing_ a pointer that's out-of-bounds is fine if the pointer is never dereferenced (in reality, the
1920 * standard only guarentees that it's safe to move the pointer one element past the last element. But we ignore that
You can’t perform that action at this time.
0 commit comments