github · geoffw0 · Sep 24, 2018 · Sep 24, 2018 · Sep 24, 2018 · Sep 24, 2018
diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql b/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
@@ -21,17 +21,19 @@ import semmle.code.cpp.controlflow.SSA
 /**
  * Holds if `e` is either:
  *  - a constant
+ *  - a char-typed expression, meaning it's a small number
  *  - an array access to an array of constants
  *  - flows from one of the above
  * In these cases the value of `e` is likely to be small and
  * controlled, so we consider it less likely to cause an overflow.
  */
-predicate effectivelyConstant(Expr e) {
+predicate likelySmall(Expr e) {
   e.isConstant() or
+  e.getType().getSize() <= 1 or
   e.(ArrayExpr).getArrayBase().getType().(ArrayType).getBaseType().isConst() or
   exists(SsaDefinition def, Variable v |
     def.getAUse(v) = e and
-    effectivelyConstant(def.getDefiningValue(v))
+    likelySmall(def.getDefiningValue(v))
   )
 }
 
@@ -56,7 +58,7 @@ int getEffectiveMulOperands(MulExpr me) {
   result = count(Expr op |
     op = getMulOperand*(me) and
     not op instanceof MulExpr and
-    not effectivelyConstant(op)
+    not likelySmall(op)
   )
 }
 

diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.c b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.c
@@ -88,3 +88,7 @@ void use_printf(float f, double d)
 		// ^ there's a float -> double varargs promotion here, but it's unlikely that the author anticipates requiring a double
 	printf("%f", d * d); // safe
 }
+
+size_t three_chars(unsigned char a, unsigned char b, unsigned char c) {
+    return a * b * c; // at most 16581375
+}