C++: Base results purely on allocations now, not multiplications by a sizeof.

geoffw0 · geoffw0 · commit a7979fdc1240 · 2020-04-09T15:05:29.000+01:00
diff --git a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
@@ -16,11 +16,7 @@ import semmle.code.cpp.security.TaintTracking
 import TaintedWithPath
 
 predicate taintedChild(Expr e, Expr tainted) {
-  (
-    isAllocationExpr(e)
-    or
-    any(MulExpr me | me.getAChild() instanceof SizeofOperator) = e
-  ) and
+  isAllocationExpr(e) and
   tainted = e.getAChild() and
   tainted.getUnspecifiedType() instanceof IntegralType
 }
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@@ -5,12 +5,6 @@ edges
 | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
 | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
 | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
-| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | (unsigned long)... |
-| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | (unsigned long)... |
-| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | tainted |
-| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | tainted |
-| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | tainted |
-| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | tainted |
 | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
 | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
 | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
@@ -33,91 +27,31 @@ edges
 | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
 | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
 | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
-| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | (unsigned long)... |
-| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | (unsigned long)... |
-| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | tainted |
-| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | tainted |
-| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | tainted |
-| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | tainted |
-| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:27 | (unsigned long)... |
-| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:27 | size |
-| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:27 | size |
 | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
 | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
-| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:27 | (unsigned long)... |
-| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:27 | size |
-| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:27 | size |
 | test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... |
 | test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... |
-| test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:13 | (unsigned long)... |
-| test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:13 | size |
-| test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:13 | size |
 | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... |
 | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... |
-| test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:13 | (unsigned long)... |
-| test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:13 | size |
-| test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:13 | size |
 | test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:27 | ... * ... |
 | test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:27 | ... * ... |
-| test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:14 | (unsigned long)... |
-| test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:14 | size |
-| test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:14 | size |
 | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... |
 | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... |
-| test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:14 | (unsigned long)... |
-| test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:14 | size |
-| test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:14 | size |
 | test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:28 | ... * ... |
 | test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:28 | ... * ... |
-| test.cpp:201:9:201:12 | call to atoi | test.cpp:201:9:201:12 | call to atoi |
-| test.cpp:201:9:201:12 | call to atoi | test.cpp:201:9:201:28 | (unsigned long)... |
-| test.cpp:201:9:201:12 | call to atoi | test.cpp:201:9:201:42 | Store |
 | test.cpp:201:9:201:42 | Store | test.cpp:231:9:231:24 | call to get_tainted_size |
 | test.cpp:201:9:201:42 | Store | test.cpp:231:9:231:24 | call to get_tainted_size |
-| test.cpp:201:14:201:19 | call to getenv | test.cpp:201:9:201:12 | call to atoi |
-| test.cpp:201:14:201:19 | call to getenv | test.cpp:201:9:201:12 | call to atoi |
-| test.cpp:201:14:201:19 | call to getenv | test.cpp:201:9:201:12 | call to atoi |
-| test.cpp:201:14:201:19 | call to getenv | test.cpp:201:9:201:28 | (unsigned long)... |
 | test.cpp:201:14:201:19 | call to getenv | test.cpp:201:9:201:42 | Store |
-| test.cpp:201:14:201:27 | (const char *)... | test.cpp:201:9:201:12 | call to atoi |
-| test.cpp:201:14:201:27 | (const char *)... | test.cpp:201:9:201:12 | call to atoi |
-| test.cpp:201:14:201:27 | (const char *)... | test.cpp:201:9:201:12 | call to atoi |
-| test.cpp:201:14:201:27 | (const char *)... | test.cpp:201:9:201:28 | (unsigned long)... |
 | test.cpp:201:14:201:27 | (const char *)... | test.cpp:201:9:201:42 | Store |
-| test.cpp:206:13:206:16 | call to atoi | test.cpp:206:13:206:16 | call to atoi |
-| test.cpp:206:13:206:16 | call to atoi | test.cpp:206:13:206:32 | (unsigned long)... |
-| test.cpp:206:18:206:23 | call to getenv | test.cpp:206:13:206:16 | call to atoi |
-| test.cpp:206:18:206:23 | call to getenv | test.cpp:206:13:206:16 | call to atoi |
-| test.cpp:206:18:206:23 | call to getenv | test.cpp:206:13:206:16 | call to atoi |
-| test.cpp:206:18:206:23 | call to getenv | test.cpp:206:13:206:32 | (unsigned long)... |
-| test.cpp:206:18:206:31 | (const char *)... | test.cpp:206:13:206:16 | call to atoi |
-| test.cpp:206:18:206:31 | (const char *)... | test.cpp:206:13:206:16 | call to atoi |
-| test.cpp:206:18:206:31 | (const char *)... | test.cpp:206:13:206:16 | call to atoi |
-| test.cpp:206:18:206:31 | (const char *)... | test.cpp:206:13:206:32 | (unsigned long)... |
 | test.cpp:214:23:214:23 | s | test.cpp:215:21:215:21 | s |
 | test.cpp:214:23:214:23 | s | test.cpp:215:21:215:21 | s |
 | test.cpp:220:21:220:21 | s | test.cpp:221:21:221:21 | s |
 | test.cpp:220:21:220:21 | s | test.cpp:221:21:221:21 | s |
-| test.cpp:227:19:227:22 | call to atoi | test.cpp:227:19:227:22 | call to atoi |
-| test.cpp:227:19:227:22 | call to atoi | test.cpp:227:19:227:38 | (unsigned long)... |
-| test.cpp:227:19:227:22 | call to atoi | test.cpp:229:9:229:18 | (size_t)... |
-| test.cpp:227:19:227:22 | call to atoi | test.cpp:229:9:229:18 | local_size |
-| test.cpp:227:19:227:22 | call to atoi | test.cpp:229:9:229:18 | local_size |
-| test.cpp:227:19:227:22 | call to atoi | test.cpp:235:11:235:20 | (size_t)... |
-| test.cpp:227:19:227:22 | call to atoi | test.cpp:237:10:237:19 | (size_t)... |
-| test.cpp:227:24:227:29 | call to getenv | test.cpp:227:19:227:22 | call to atoi |
-| test.cpp:227:24:227:29 | call to getenv | test.cpp:227:19:227:22 | call to atoi |
-| test.cpp:227:24:227:29 | call to getenv | test.cpp:227:19:227:22 | call to atoi |
-| test.cpp:227:24:227:29 | call to getenv | test.cpp:227:19:227:38 | (unsigned long)... |
 | test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | (size_t)... |
 | test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size |
 | test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size |
 | test.cpp:227:24:227:29 | call to getenv | test.cpp:235:11:235:20 | (size_t)... |
 | test.cpp:227:24:227:29 | call to getenv | test.cpp:237:10:237:19 | (size_t)... |
-| test.cpp:227:24:227:37 | (const char *)... | test.cpp:227:19:227:22 | call to atoi |
-| test.cpp:227:24:227:37 | (const char *)... | test.cpp:227:19:227:22 | call to atoi |
-| test.cpp:227:24:227:37 | (const char *)... | test.cpp:227:19:227:22 | call to atoi |
-| test.cpp:227:24:227:37 | (const char *)... | test.cpp:227:19:227:38 | (unsigned long)... |
 | test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | (size_t)... |
 | test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | local_size |
 | test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | local_size |
@@ -133,11 +67,6 @@ nodes
 | test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
 | test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
 | test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
-| test.cpp:43:38:43:44 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:43:38:43:44 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
-| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
-| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
 | test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
 | test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
 | test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
@@ -155,56 +84,24 @@ nodes
 | test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
 | test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
 | test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
-| test.cpp:52:54:52:60 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:52:54:52:60 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:52:54:52:60 | tainted | semmle.label | tainted |
-| test.cpp:52:54:52:60 | tainted | semmle.label | tainted |
-| test.cpp:52:54:52:60 | tainted | semmle.label | tainted |
 | test.cpp:123:18:123:23 | call to getenv | semmle.label | call to getenv |
 | test.cpp:123:18:123:31 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:127:24:127:27 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:127:24:127:27 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:127:24:127:27 | size | semmle.label | size |
-| test.cpp:127:24:127:27 | size | semmle.label | size |
-| test.cpp:127:24:127:27 | size | semmle.label | size |
 | test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
 | test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
 | test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
 | test.cpp:132:19:132:24 | call to getenv | semmle.label | call to getenv |
 | test.cpp:132:19:132:32 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:134:10:134:13 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:134:10:134:13 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:134:10:134:13 | size | semmle.label | size |
-| test.cpp:134:10:134:13 | size | semmle.label | size |
-| test.cpp:134:10:134:13 | size | semmle.label | size |
 | test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:138:19:138:24 | call to getenv | semmle.label | call to getenv |
 | test.cpp:138:19:138:32 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:142:11:142:14 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:142:11:142:14 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:142:11:142:14 | size | semmle.label | size |
-| test.cpp:142:11:142:14 | size | semmle.label | size |
-| test.cpp:142:11:142:14 | size | semmle.label | size |
 | test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
-| test.cpp:201:9:201:12 | call to atoi | semmle.label | call to atoi |
-| test.cpp:201:9:201:12 | call to atoi | semmle.label | call to atoi |
-| test.cpp:201:9:201:12 | call to atoi | semmle.label | call to atoi |
-| test.cpp:201:9:201:28 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:201:9:201:28 | (unsigned long)... | semmle.label | (unsigned long)... |
 | test.cpp:201:9:201:42 | Store | semmle.label | Store |
 | test.cpp:201:14:201:19 | call to getenv | semmle.label | call to getenv |
 | test.cpp:201:14:201:27 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:206:13:206:16 | call to atoi | semmle.label | call to atoi |
-| test.cpp:206:13:206:16 | call to atoi | semmle.label | call to atoi |
-| test.cpp:206:13:206:16 | call to atoi | semmle.label | call to atoi |
-| test.cpp:206:13:206:32 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:206:13:206:32 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:206:18:206:23 | call to getenv | semmle.label | call to getenv |
-| test.cpp:206:18:206:31 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:214:23:214:23 | s | semmle.label | s |
 | test.cpp:215:21:215:21 | s | semmle.label | s |
 | test.cpp:215:21:215:21 | s | semmle.label | s |
@@ -213,11 +110,6 @@ nodes
 | test.cpp:221:21:221:21 | s | semmle.label | s |
 | test.cpp:221:21:221:21 | s | semmle.label | s |
 | test.cpp:221:21:221:21 | s | semmle.label | s |
-| test.cpp:227:19:227:22 | call to atoi | semmle.label | call to atoi |
-| test.cpp:227:19:227:22 | call to atoi | semmle.label | call to atoi |
-| test.cpp:227:19:227:22 | call to atoi | semmle.label | call to atoi |
-| test.cpp:227:19:227:38 | (unsigned long)... | semmle.label | (unsigned long)... |
-| test.cpp:227:19:227:38 | (unsigned long)... | semmle.label | (unsigned long)... |
 | test.cpp:227:24:227:29 | call to getenv | semmle.label | call to getenv |
 | test.cpp:227:24:227:37 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:229:9:229:18 | (size_t)... | semmle.label | (size_t)... |
@@ -233,22 +125,14 @@ nodes
 #select
 | test.cpp:42:31:42:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:43:31:43:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:43:38:43:63 | ... * ... | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:45:31:45:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:48:25:48:30 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:49:17:49:30 | new[] | test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:52:21:52:27 | call to realloc | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:52:35:52:60 | ... * ... | test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:127:17:127:22 | call to malloc | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:123:18:123:23 | call to getenv | user input (getenv) |
-| test.cpp:127:24:127:41 | ... * ... | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:27 | size | This allocation size is derived from $@ and might overflow | test.cpp:123:18:123:23 | call to getenv | user input (getenv) |
 | test.cpp:134:3:134:8 | call to malloc | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) |
-| test.cpp:134:10:134:27 | ... * ... | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:13 | size | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) |
 | test.cpp:142:4:142:9 | call to malloc | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:138:19:138:24 | call to getenv | user input (getenv) |
-| test.cpp:142:11:142:28 | ... * ... | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:14 | size | This allocation size is derived from $@ and might overflow | test.cpp:138:19:138:24 | call to getenv | user input (getenv) |
-| test.cpp:201:9:201:42 | ... * ... | test.cpp:201:14:201:19 | call to getenv | test.cpp:201:9:201:12 | call to atoi | This allocation size is derived from $@ and might overflow | test.cpp:201:14:201:19 | call to getenv | user input (getenv) |
-| test.cpp:206:13:206:46 | ... * ... | test.cpp:206:18:206:23 | call to getenv | test.cpp:206:13:206:16 | call to atoi | This allocation size is derived from $@ and might overflow | test.cpp:206:18:206:23 | call to getenv | user input (getenv) |
 | test.cpp:215:14:215:19 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:215:21:215:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
 | test.cpp:221:14:221:19 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:221:21:221:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
-| test.cpp:227:19:227:52 | ... * ... | test.cpp:227:24:227:29 | call to getenv | test.cpp:227:19:227:22 | call to atoi | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
 | test.cpp:229:2:229:7 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
 | test.cpp:231:2:231:7 | call to malloc | test.cpp:201:14:201:19 | call to getenv | test.cpp:231:9:231:24 | call to get_tainted_size | This allocation size is derived from $@ and might overflow | test.cpp:201:14:201:19 | call to getenv | user input (getenv) |
