C++: More accurate solution using Guards library.

geoffw0 · geoffw0 · commit d5d8b482181d · 2021-01-20T17:15:42.000Z
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql b/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
@@ -12,6 +12,7 @@
  */
 
 import cpp
+import semmle.code.cpp.controlflow.Guards
 
 /**
  * A function call that potentially does not return (such as `exit`).
@@ -48,7 +49,11 @@ class ReallocCallLeak extends FunctionCall {
    * example a call to `exit()`.
    */
   predicate mayHandleByTermination() {
-    this.(ControlFlowNode).getASuccessor*() instanceof CallMayNotReturn
+    exists(GuardCondition guard, CallMayNotReturn exit |
+      this.(ControlFlowNode).getASuccessor*() = guard and
+      guard.getAChild*() = v.getAnAccess() and
+      guard.controls(exit.getBasicBlock(), _)
+    )
   }
 }
 
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/MemoryLeakOnFailedCallToRealloc.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/MemoryLeakOnFailedCallToRealloc.expected
@@ -4,3 +4,5 @@
 | test.c:186:29:186:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
 | test.c:282:29:282:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
 | test.c:299:26:299:32 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
+| test.c:328:29:328:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
+| test.c:342:29:342:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/test.c
@@ -322,7 +322,7 @@ unsigned char *noBadResize_4_1(unsigned char *buffer, size_t currentSize, size_t
 
 unsigned char * badResize_5_2(unsigned char *buffer, size_t currentSize, size_t newSize, int cond)
 {
-	// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block [NOT DETECTED]
+	// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
 	if (currentSize < newSize)
 	{
 		buffer = (unsigned char *)realloc(buffer, newSize);
@@ -336,7 +336,7 @@ unsigned char * badResize_5_2(unsigned char *buffer, size_t currentSize, size_t
 
 unsigned char * badResize_5_1(unsigned char *buffer, size_t currentSize, size_t newSize, int cond)
 {
-	// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block [NOT DETECTED]
+	// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
 	if (currentSize < newSize)
 	{
 		buffer = (unsigned char *)realloc(buffer, newSize);

Original file line number	Diff line number	Diff line change
`@@ -322,7 +322,7 @@ unsigned char noBadResize_4_1(unsigned char buffer, size_t currentSize, size_t`
`322`	`322`
`323`	`323`	`unsigned char * badResize_5_2(unsigned char *buffer, size_t currentSize, size_t newSize, int cond)`
`324`	`324`	`{`
`325`		`- // BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block [NOT DETECTED]`
	`325`	`+ // BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block`
`326`	`326`	`if (currentSize < newSize)`
`327`	`327`	`{`
`328`	`328`	`buffer = (unsigned char *)realloc(buffer, newSize);`
`@@ -336,7 +336,7 @@ unsigned char * badResize_5_2(unsigned char *buffer, size_t currentSize, size_t`
`336`	`336`
`337`	`337`	`unsigned char * badResize_5_1(unsigned char *buffer, size_t currentSize, size_t newSize, int cond)`
`338`	`338`	`{`
`339`		`- // BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block [NOT DETECTED]`
	`339`	`+ // BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block`
`340`	`340`	`if (currentSize < newSize)`
`341`	`341`	`{`
`342`	`342`	`buffer = (unsigned char *)realloc(buffer, newSize);`