Merge pull request #18222 from github/calumgrant/bmn/badly-bounded-write

C++: Fix FPs in cpp/badly-bounded-write caused by extraction errors
github · Dec 6, 2024 · ee8ce1c · ee8ce1c
2 parents fa123a7 + e98129c
commit ee8ce1c
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 1 deletion.
diff --git a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
@@ -25,7 +25,8 @@ from BufferWrite bw, int destSize
 where
   bw.hasExplicitLimit() and // has an explicit size limit
   destSize = max(getBufferSize(bw.getDest(), _)) and
-  bw.getExplicitLimit() > destSize // but it's larger than the destination
+  bw.getExplicitLimit() > destSize and // but it's larger than the destination
+  not bw.getDest().getType().stripType() instanceof ErroneousType // destSize may be incorrect
 select bw,
   "This '" + bw.getBWDesc() + "' operation is limited to " + bw.getExplicitLimit() +
     " bytes but the destination is only " + destSize + " bytes."
diff --git a/cpp/ql/src/change-notes/2024-12-05-badly-bounded-write.md b/cpp/ql/src/change-notes/2024-12-05-badly-bounded-write.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Badly bounded write" query (`cpp/badly-bounded-write`) no longer produces results if there is an extraction error in the type of the output buffer.
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/errors.c b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/errors.c
@@ -0,0 +1,11 @@
+// semmle-extractor-options: --expect_errors
+
+typedef unsigned long size_t;
+typedef int wchar_t;
+
+int swprintf(wchar_t *s, size_t n, const wchar_t *format, ...);
+
+void test_extraction_errors() {
+    WCHAR buffer[3];
+    swprintf(buffer, 3, L"abc");
+}