From 614a8ef09158e558cc4dd874fcbcd6835ecc28b8 Mon Sep 17 00:00:00 2001 From: Sauyon Lee Date: Thu, 13 Sep 2018 15:12:22 -0700 Subject: [PATCH] Allow void* pointer arithmetic with sizeof Technically this isn't allowed by the C spec, but it's been seen in the wild: see https://lgtm.com/projects/g/libcsp/libcsp/snapshot/3763c7b3380f95c81636de5c95156fd3ef151a21/files/src/csp_buffer.c\#x1d04047d2bb68c21:1 --- .../Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql index 75c02b5e8c7f..d2d16b552bed 100644 --- a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql +++ b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql @@ -13,18 +13,19 @@ import cpp import IncorrectPointerScalingCommon -private predicate isCharPtrExpr(Expr e) { +private predicate isCharSzPtrExpr(Expr e) { exists (PointerType pt | pt = e.getFullyConverted().getUnderlyingType() - | pt.getBaseType().getUnspecifiedType() instanceof CharType) + | pt.getBaseType().getUnspecifiedType() instanceof CharType + or pt.getBaseType().getUnspecifiedType() instanceof VoidType) } from Expr sizeofExpr, Expr e where // If we see an addWithSizeof then we expect the type of - // the pointer expression to be char*. Otherwise it is probably - // a mistake. - addWithSizeof(e, sizeofExpr, _) and not isCharPtrExpr(e) + // the pointer expression to be char* or void*. Otherwise it + // is probably a mistake. + addWithSizeof(e, sizeofExpr, _) and not isCharSzPtrExpr(e) select sizeofExpr, "Suspicious sizeof offset in a pointer arithmetic expression. " +