Skip to content

Commit c974693

Browse files
committed
CPP: Add a test case for CWE-120.
1 parent 7ea6c1b commit c974693

File tree

2 files changed

+32
-0
lines changed

2 files changed

+32
-0
lines changed

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,11 @@
5656
| tests.cpp:519:3:519:8 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 10 bytes. | tests.cpp:510:16:510:21 | call to malloc | destination buffer |
5757
| tests.cpp:541:6:541:10 | call to fread | This 'fread' operation may access 101 bytes but the $@ is only 100 bytes. | tests.cpp:532:7:532:16 | charBuffer | destination buffer |
5858
| tests.cpp:546:6:546:10 | call to fread | This 'fread' operation may access 400 bytes but the $@ is only 100 bytes. | tests.cpp:532:7:532:16 | charBuffer | destination buffer |
59+
| tests.cpp:569:6:569:15 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:565:7:565:12 | buffer | array |
60+
| tests.cpp:577:7:577:13 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:565:7:565:12 | buffer | array |
61+
| tests.cpp:577:7:577:13 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:571:8:571:13 | buffer | array |
62+
| tests.cpp:579:6:579:12 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:565:7:565:12 | buffer | array |
63+
| tests.cpp:579:6:579:12 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:571:8:571:13 | buffer | array |
5964
| tests_restrict.c:12:2:12:7 | call to memcpy | This 'memcpy' operation accesses 2 bytes but the $@ is only 1 byte. | tests_restrict.c:7:6:7:13 | smallbuf | source buffer |
6065
| unions.cpp:26:2:26:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:21:10:21:11 | mu | destination buffer |
6166
| unions.cpp:30:2:30:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:15:7:15:11 | small | destination buffer |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -560,6 +560,32 @@ void test20()
560560
}
561561
}
562562

563+
void test21(bool cond)
564+
{
565+
char buffer[100];
566+
char *ptr;
567+
int i;
568+
569+
if (buffer[-1] == 0) { return; } // BAD: accesses buffer[-1]
570+
571+
ptr = buffer;
572+
if (cond)
573+
{
574+
ptr++;
575+
if (ptr[-1] == 0) { return; } // GOOD: accesses buffer[0]
576+
} else {
577+
if (ptr[-1] == 0) { return; } // BAD: accesses buffer[-1]
578+
}
579+
if (ptr[-1] == 0) { return; } // BAD: accesses buffer[-1] or buffer[0]
580+
581+
ptr = buffer;
582+
for (i = 0; i < 2; i++)
583+
{
584+
ptr++;
585+
}
586+
if (ptr[-1] == 0) { return; } // GOOD: accesses buffer[1]
587+
}
588+
563589
int main(int argc, char *argv[])
564590
{
565591
long long arr17[19];
@@ -582,6 +608,7 @@ int main(int argc, char *argv[])
582608
test18();
583609
test19(argc == 0);
584610
test20();
611+
test21(argc == 0);
585612

586613
return 0;
587614
}

0 commit comments

Comments
 (0)