C++: Fix SnprintfOverflow issues

jbj · jbj · commit fd4967e6f1a8 · 2019-04-09T11:05:14.000+02:00
Requiring strict inclusion between types turned out to cause false
positives in `SnprintfOverflow`, which relied indirectly on
`RangeAnalysisUtils::linearAccessImpl` to identify acceptable bounds
checks. This query was particularly affected because `snprintf` returns
`int` (signed) but takes `size_t` (unsigned), so conversions are bound
to happen.
diff --git a/cpp/ql/src/semmle/code/cpp/rangeanalysis/RangeAnalysisUtils.qll b/cpp/ql/src/semmle/code/cpp/rangeanalysis/RangeAnalysisUtils.qll
@@ -209,8 +209,10 @@ predicate linearAccessImpl(Expr expr, VariableAccess v, float p, float q) {
   | linearAccess(cast.getExpr(), v, p, q) and
     sourceType = cast.getExpr().getType().getUnspecifiedType() and
     targetType = cast.getType().getUnspecifiedType() and
-    typeLowerBound(targetType) <= typeLowerBound(sourceType) and
-    typeUpperBound(targetType) >= typeUpperBound(sourceType) and
+    // This allows conversion between signed and unsigned, which is technically
+    // lossy but common enough that we'll just have to assume the user knows
+    // what they're doing.
+    targetType.getSize() >= sourceType.getSize() and
     expr = cast)
   or
   // (p*v+q) == p*v + q
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/SnprintfOverflow/SnprintfOverflow.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/SnprintfOverflow/SnprintfOverflow.expected
@@ -2,4 +2,3 @@
 | test.cpp:62:12:62:19 | call to snprintf | The $@ of this snprintf call is derived from its return value, which may exceed the size of the buffer and overflow. | test.cpp:62:26:62:34 | remaining | size argument |
 | test.cpp:76:10:76:17 | call to snprintf | The $@ of this snprintf call is derived from its return value, which may exceed the size of the buffer and overflow. | test.cpp:76:24:76:32 | ... - ... | size argument |
 | test.cpp:100:10:100:19 | call to snprintf_s | The $@ of this snprintf call is derived from its return value, which may exceed the size of the buffer and overflow. | test.cpp:100:35:100:54 | ... - ... | size argument |
-| test.cpp:109:15:109:22 | call to snprintf | The $@ of this snprintf call is derived from its return value, which may exceed the size of the buffer and overflow. | test.cpp:109:29:109:35 | buf_len | size argument |
