Merge pull request #7267 from github/redsun82/cpp-overrunning-write-precision-split

C++: add some more range analysis tests

Author: redsun82

cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.expected

@@ -3,13 +3,17 @@
 | tests.cpp:272:2:272:8 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
 | tests.cpp:273:2:273:8 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
 | tests.cpp:308:3:308:9 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
-| tests.cpp:315:2:315:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
-| tests.cpp:316:2:316:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
-| tests.cpp:321:2:321:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
-| tests.cpp:324:3:324:9 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
-| tests.cpp:327:2:327:8 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
-| tests.cpp:329:3:329:9 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
+| tests.cpp:315:2:315:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 4 bytes. |
+| tests.cpp:316:2:316:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 4 bytes. |
+| tests.cpp:321:2:321:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 4 bytes. |
+| tests.cpp:324:3:324:9 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 4 bytes. |
+| tests.cpp:327:2:327:8 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 4 bytes. |
+| tests.cpp:329:3:329:9 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 4 bytes. |
 | tests.cpp:341:2:341:8 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |
 | tests.cpp:343:2:343:8 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |
 | tests.cpp:345:2:345:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
 | tests.cpp:347:2:347:8 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |
+| tests.cpp:350:2:350:8 | call to sprintf | This 'call to sprintf' operation requires 4 bytes but the destination is only 3 bytes. |
+| tests.cpp:354:2:354:8 | call to sprintf | This 'call to sprintf' operation requires 4 bytes but the destination is only 3 bytes. |
+| tests.cpp:358:2:358:8 | call to sprintf | This 'call to sprintf' operation requires 4 bytes but the destination is only 3 bytes. |
+| tests.cpp:363:2:363:8 | call to sprintf | This 'call to sprintf' operation requires 5 bytes but the destination is only 4 bytes. |

cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp

@@ -310,39 +310,56 @@ namespace custom_sprintf_impl {
 }
 
 void test6(unsigned unsigned_value, int value) {
-	char buffer[2];
+	char buffer2[2], buffer3[3], buffer4[4], buffer5[5];
 
-	sprintf(buffer, "%u", unsigned_value); // BAD: buffer overflow
-	sprintf(buffer, "%d", unsigned_value); // BAD: buffer overflow
-	if (unsigned_value < 10) {
-		sprintf(buffer, "%u", unsigned_value); // GOOD
+	sprintf(buffer4, "%u", unsigned_value); // BAD: buffer overflow
+	sprintf(buffer4, "%d", unsigned_value); // BAD: buffer overflow
+	if (unsigned_value < 1000) {
+		sprintf(buffer4, "%u", unsigned_value); // GOOD
 	}
 
-	sprintf(buffer, "%u", -10); // BAD: buffer overflow
+	sprintf(buffer4, "%u", -100); // BAD: buffer overflow
 
-	if(unsigned_value == (unsigned)-10) {
-		sprintf(buffer, "%u", unsigned_value); // BAD: buffer overflow
+	if(unsigned_value == (unsigned)-100) {
+		sprintf(buffer4, "%u", unsigned_value); // BAD: buffer overflow
 	}
 
-	sprintf(buffer, "%d", value); // BAD: buffer overflow
-	if (value < 10) {
-		sprintf(buffer, "%d", value); // BAD: buffer overflow
+	sprintf(buffer4, "%d", value); // BAD: buffer overflow
+	if (value < 1000) {
+		sprintf(buffer4, "%d", value); // BAD: buffer overflow
 
-		if(value > 0) {
-			sprintf(buffer, "%d", value); // GOOD
+		if(value > -100) {
+			sprintf(buffer4, "%d", value); // GOOD
 		}
 	}
 
-	sprintf(buffer, "%u", 0); // GOOD
-	sprintf(buffer, "%d", 0); // GOOD
-	sprintf(buffer, "%u", 5); // GOOD
-	sprintf(buffer, "%d", 5); // GOOD
+	sprintf(buffer2, "%u", 0); // GOOD
+	sprintf(buffer2, "%d", 0); // GOOD
+	sprintf(buffer2, "%u", 5); // GOOD
+	sprintf(buffer2, "%d", 5); // GOOD
 
-	sprintf(buffer, "%d", -1); // BAD
-	sprintf(buffer, "%d", 9); // GOOD
-	sprintf(buffer, "%d", 10); // BAD
+	sprintf(buffer2, "%d", -1); // BAD
+	sprintf(buffer2, "%d", 9); // GOOD
+	sprintf(buffer2, "%d", 10); // BAD
 
-	sprintf(buffer, "%u", -1); // BAD
-	sprintf(buffer, "%u", 9); // GOOD
-	sprintf(buffer, "%u", 10); // BAD
+	sprintf(buffer2, "%u", -1); // BAD
+	sprintf(buffer2, "%u", 9); // GOOD
+	sprintf(buffer2, "%u", 10); // BAD
+
+	unsigned char unsigned_char = unsigned_value;
+	sprintf(buffer3, "%u", (unsigned)unsigned_char); // BAD
+	sprintf(buffer4, "%u", (unsigned)unsigned_char); // GOOD: 0..255 fits
+
+	unsigned small = unsigned_value >> (sizeof(unsigned_value) * 8 - 9);  // in range 0..511
+	sprintf(buffer3, "%u", small); // BAD
+	sprintf(buffer4, "%u", small); // GOOD
+
+	small = unsigned_value & ((1u << 9) - 1);  // in range 0..511
+	sprintf(buffer3, "%u", small); // BAD
+	sprintf(buffer4, "%u", small); // GOOD: 0..511 fits
+
+	char c = value;
+
+	sprintf(buffer4, "%d", (int)c); // BAD: e.g. -127 does not fit
+	sprintf(buffer5, "%d", (int)c); // GOOD: -127..128 fits
 }