|
| 1 | +import semmle.code.cpp.Function |
| 2 | +import semmle.code.cpp.models.interfaces.ArrayFunction |
| 3 | +import semmle.code.cpp.models.interfaces.DataFlow |
| 4 | +import semmle.code.cpp.models.interfaces.Alias |
| 5 | + |
| 6 | +/** |
| 7 | + * The standard function `memset` and its assorted variants |
| 8 | + */ |
| 9 | +class MemsetFunction extends ArrayFunction, DataFlowFunction, AliasFunction { |
| 10 | + MemsetFunction() { |
| 11 | + hasGlobalName("memset") or |
| 12 | + hasGlobalName("wmemset") or |
| 13 | + hasGlobalName("bzero") or |
| 14 | + hasGlobalName("__builtin_memset") or |
| 15 | + hasGlobalName("__builtin_memset_chk") or |
| 16 | + hasQualifiedName("std", "memset") or |
| 17 | + hasQualifiedName("std", "wmemset") |
| 18 | + } |
| 19 | + |
| 20 | + override predicate hasArrayOutput(int bufParam) { bufParam = 0 } |
| 21 | + |
| 22 | + override predicate hasDataFlow(FunctionInput input, FunctionOutput output) { |
| 23 | + input.isParameter(0) and |
| 24 | + output.isReturnValue() |
| 25 | + } |
| 26 | + |
| 27 | + override predicate hasArrayWithVariableSize(int bufParam, int countParam) { |
| 28 | + bufParam = 0 and |
| 29 | + (if hasGlobalName("bzero") then countParam = 1 else countParam = 2) |
| 30 | + } |
| 31 | + |
| 32 | + override predicate parameterNeverEscapes(int index) { hasGlobalName("bzero") and index = 0 } |
| 33 | + |
| 34 | + override predicate parameterEscapesOnlyViaReturn(int index) { |
| 35 | + not hasGlobalName("bzero") and index = 0 |
| 36 | + } |
| 37 | + |
| 38 | + override predicate parameterIsAlwaysReturned(int index) { |
| 39 | + not hasGlobalName("bzero") and index = 0 |
| 40 | + } |
| 41 | +} |
0 commit comments