Skip to content

Commit f436a4c

Browse files
GrosQuilduGrosQuildu
committed
nodes,edges
1 parent 3c9cb85 commit f436a4c

1 file changed

Lines changed: 32 additions & 2 deletions

File tree

cpp/src/security/DecOverflowWhenComparing/DecOverflowWhenComparing.ql

Lines changed: 32 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
* @name Decrementation overflow when comparing
33
* @id tob/cpp/dec-overflow-when-comparing
44
* @description This query finds unsigned integer overflows resulting from unchecked decrementation during comparison.
5-
* @kind problem
5+
* @kind graph
66
* @tags security
77
* @problem.severity error
88
* @precision high
@@ -14,6 +14,33 @@ import cpp
1414
import semmle.code.cpp.ir.IR
1515
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
1616

17+
query predicate nodes(ControlFlowNode node, string key, string value) {
18+
exists(Variable var, PostfixDecrExpr dec |
19+
dec.getOperand() = var.getAnAccess().getExplicitlyConverted() and
20+
var.getUnderlyingType().(IntegralType).isUnsigned() and
21+
successorGuarded(node, _, var) and
22+
key = node.toString() and
23+
value = node.toString() + "-val"
24+
)
25+
}
26+
27+
query predicate edges(ControlFlowNode source, ControlFlowNode target, string key, string value) {
28+
exists(Variable var, PostfixDecrExpr dec, VariableAccess acc |
29+
var.getAnAccess() = acc and
30+
dec.getOperand() = acc.getExplicitlyConverted() and
31+
var.getUnderlyingType().(IntegralType).isUnsigned() and
32+
33+
source.getASuccessor() = target and
34+
35+
key = source.toString() + "-key" and
36+
value = target.toString() + "-val"
37+
)
38+
}
39+
40+
query predicate graphProperties(string key, string value) {
41+
key = "semmle.graphKind" and value = "graph"
42+
}
43+
1744
/**
1845
* Find CFG paths from start to end that do not cross over node that is var's lvalue access
1946
* TODO: there must be an API for that...
@@ -38,6 +65,7 @@ predicate successorGuarded(ControlFlowNode start, ControlFlowNode end, Variable
3865
)
3966
}
4067

68+
/*
4169
from Variable var, VariableAccess varAcc, PostfixDecrExpr dec,
4270
VariableAccess varAccAfterOverflow, ComparisonOperation cmp
4371
where
@@ -78,4 +106,6 @@ where
78106
// skip tests etc
79107
and not dec.getFile().getAbsolutePath().toLowerCase().matches(["%test%", "%vendor%", "%third_party%"])
80108
81-
select dec, "Unsigned decrementation in comparison ($@) - $@", cmp, cmp.toString(), varAccAfterOverflow, varAccAfterOverflow.toString()
109+
select dec, "Unsigned decrementation in comparison ($@) - $@", cmp, cmp.toString(), varAccAfterOverflow, varAccAfterOverflow.toString()
110+
111+
*/

0 commit comments

Comments
 (0)