more work DecOverflowWhenComparing

Author: GrosQuildu

cpp/src/security/DecOverflowWhenComparing/DecOverflowWhenComparing.c

@@ -3,11 +3,88 @@
 #include <stdlib.h>
 #include <string.h>
 
+size_t min(size_t a, size_t b) {
+	return a < b ? a : b;
+}
+
+void MlasReorderInputNhwc(
+    const float* S,
+    float* D,
+    size_t InputChannels,
+    size_t RowCount,
+    size_t FullRowCount
+    )
+{
+    const size_t BlockSize = FullRowCount % 123;
+
+    //
+    // Iterate over batches of the input size to improve locality.
+    //
+
+    for (size_t OuterRowCountRemaining = RowCount; OuterRowCountRemaining > 0; ) {
+
+        size_t OuterRowCountBatch = 32;
+
+        const size_t OuterRowCountThisIteration = min(OuterRowCountRemaining, OuterRowCountBatch);
+        OuterRowCountRemaining -= OuterRowCountThisIteration;
+
+        //
+        // Iterate over BlockSize batches of the input channels.
+        //
+
+        const float* s = S;
+        float* d = D;
+
+        for (size_t i = InputChannels; i > 0;) {
+
+            const size_t InputChannelsThisIteration = min(i, BlockSize);
+            i -= InputChannelsThisIteration;
+
+            const float* ss = s;
+            float* dd = d;
+            size_t InnerRowCountRemaining = OuterRowCountThisIteration;
+
+            if (InputChannelsThisIteration == BlockSize) {
+
+                if (BlockSize == 8) {
+
+                    while (InnerRowCountRemaining-- > 0) {
+                        ss += InputChannels;
+                        dd += 8;
+                    }
+
+                } else {
+
+                    while (InnerRowCountRemaining-- > 0) {
+                        ss += InputChannels;
+                        dd += 16;
+                    }
+                }
+
+            } else {
+
+                size_t BlockPadding = BlockSize - InputChannelsThisIteration;
+
+                while (InnerRowCountRemaining-- > 0) {
+                    ss += InputChannels;
+                    dd += BlockSize;
+                }
+            }
+
+            s += InputChannelsThisIteration;
+            d += BlockSize * FullRowCount;
+        }
+
+        S += InputChannels * OuterRowCountThisIteration;
+        D += BlockSize * OuterRowCountThisIteration;
+    }
+}
+
 // from https://github.com/apple-oss-distributions/Libinfo/blob/9fce29e5c5edc15d3ecea55116ca17d3f6350603/lookup.subproj/mdns_module.c#L1033C1-L1079C2
 char* _mdns_parse_domain_name(const uint8_t *data, uint32_t datalen)
 {
 	int i = 0, j = 0;
-	uint32_t len;
+	// uint32_t len;
 	uint32_t domainlen = 0;
 	char *domain = NULL;
 
@@ -19,8 +96,8 @@ char* _mdns_parse_domain_name(const uint8_t *data, uint32_t datalen)
 	 */
 	while (datalen-- > 0)
 	{
-		printf("%d\n", len);
-		len = data[i++];
+		// printf("%d\n", len);
+		uint32_t len = data[i++];
 		domainlen += (len + 1);
 		domain = reallocf(domain, domainlen);
 

cpp/src/security/DecOverflowWhenComparing/DecOverflowWhenComparing.ql

@@ -12,8 +12,33 @@
 
 import cpp
 import semmle.code.cpp.ir.IR
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 
-from Variable var, VariableAccess varAcc, DecrementOperation dec,
+/**
+ * Find CFG paths from start to end that do not cross over node that is var's lvalue access
+ * TODO: there must be an API for that...
+ */
+predicate successorGuarded(ControlFlowNode start, ControlFlowNode end, Variable var) {
+  start = end
+  or
+  exists(ControlFlowNode interm |
+    start.getASuccessor() = interm and
+
+    // break the path if variable is overwritten
+    not (
+      interm = var.getAnAccess() and
+      interm.(VariableAccess).isLValue()
+    ) and
+
+    (
+      interm.getASuccessor() = end
+      or
+      successorGuarded(interm, end, var)
+    )
+  )
+}
+
+from Variable var, VariableAccess varAcc, PostfixDecrExpr dec,
   VariableAccess varAccAfterOverflow, ComparisonOperation cmp
 where
   // get unsigned variable that is decremented
@@ -28,19 +53,9 @@ where
   cmp.getAnOperand() instanceof Zero and
 
   // only if the variable is used after the comparison
-  cmp.getASuccessor+() = varAccAfterOverflow and
+  successorGuarded(cmp, varAccAfterOverflow, var) and
   cmp.getAnOperand().getAChild*() != varAccAfterOverflow and
 
-  // skip if the variable is overwritten
-  // TODO: handle loops correctly
-  // not exists(VariableAccess varAccLV | varAccLV.isUsedAsLValue() |
-  //   varAccLV = var.getAnAccess() and
-  //   varAccLV != varAcc and
-  //   varAccLV != varAccAfterOverflow and
-  //   cmp.getASuccessor+() = varAccLV and
-  //   varAccAfterOverflow.getAPredecessor+() = varAccLV
-  // ) and
-
   // var-- > 0 (0 < var--) then accesses only in false branch
   // var-- >= 0 then accesses in all branches
   // var-- == 0 then accesses in all branches
@@ -54,4 +69,13 @@ where
     cmp.getAFalseSuccessor().getASuccessor*() = varAccAfterOverflow
   else
     any()
-select cmp, varAccAfterOverflow
+
+  and
+
+  // only if var may possibly be zero during comparison
+  lowerBound(varAcc) = 0
+
+  // skip tests etc
+  and not dec.getFile().getAbsolutePath().toLowerCase().matches(["%test%", "%vendor%", "%third_party%"])
+
+select dec, "Unsigned decrementation in comparison ($@) - $@", cmp, cmp.toString(), varAccAfterOverflow, varAccAfterOverflow.toString()

cpp/test/include/libc/stdint.h

@@ -0,0 +1,15 @@
+#ifndef USE_HEADERS
+
+#ifndef HEADER_STDINT_STUB_H
+#define HEADER_STDINT_STUB_H
+
+typedef unsigned char uint8_t;
+typedef unsigned short uint16_t;
+typedef unsigned int uint32_t;
+
+#endif
+#else // --- else USE_HEADERS
+
+#include <stdint.h>
+
+#endif // --- end USE_HEADERS

cpp/test/query-tests/security/DecOverflowWhenComparing/DecOverflowWhenComparing.c

@@ -1,12 +1,13 @@
-#ifndef USE_HEADERS
 #include "../../../include/libc/string_stubs.h"
+#include "../../../include/libc/stdlib.h"
+#include "../../../include/libc/unistd.h"
+#include "../../../include/libc/stdint.h"
+
+// #include <stdio.h>
+// #include <stdint.h>
+// #include <stdlib.h>
+// #include <string.h>
 
-#else
-#include <stdio.h>
-#include <stdint.h>
-#include <stdlib.h>
-#include <string.h>
-#endif
 
 // from https://github.com/apple-oss-distributions/Libinfo/blob/9fce29e5c5edc15d3ecea55116ca17d3f6350603/lookup.subproj/mdns_module.c#L1033C1-L1079C2
 char* _mdns_parse_domain_name(const uint8_t *data, uint32_t datalen)