From ae4d303540d5ea23f8a3faa3b62f3492f80368df Mon Sep 17 00:00:00 2001 From: Robert Marsh Date: Tue, 19 May 2020 11:07:12 -0700 Subject: [PATCH 01/15] C++: add local flow sources --- cpp/ql/src/semmle/code/cpp/models/Models.qll | 1 + .../cpp/models/implementations/Getenv.qll | 22 +++++++ .../code/cpp/models/interfaces/FlowSource.qll | 12 +++- .../semmle/code/cpp/security/FlowSources.qll | 66 +++++++++++++++++-- 4 files changed, 95 insertions(+), 6 deletions(-) create mode 100644 cpp/ql/src/semmle/code/cpp/models/implementations/Getenv.qll diff --git a/cpp/ql/src/semmle/code/cpp/models/Models.qll b/cpp/ql/src/semmle/code/cpp/models/Models.qll index 82ae1fdc4f0a..32b7b172efc9 100644 --- a/cpp/ql/src/semmle/code/cpp/models/Models.qll +++ b/cpp/ql/src/semmle/code/cpp/models/Models.qll @@ -1,6 +1,7 @@ private import implementations.Allocation private import implementations.Deallocation private import implementations.Fread +private import implementations.Getenv private import implementations.Gets private import implementations.IdentityFunction private import implementations.Inet diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Getenv.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Getenv.qll new file mode 100644 index 000000000000..764a7dab5dca --- /dev/null +++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Getenv.qll @@ -0,0 +1,22 @@ +/** + * Provides an implementation class modelling the POSIX function `getenv`. + */ +import cpp +import semmle.code.cpp.models.interfaces.FlowSource + +/** + * The POSIX function `getenv`. + */ +class Getenv extends LocalFlowFunction { + Getenv() { + this.hasGlobalName("getenv") + } + + override predicate hasLocalFlowSource (FunctionOutput output, string description) { + ( + output.isReturnValueDeref() or + output.isReturnValue() + ) and + description = "an environment variable" + } +} \ No newline at end of file diff --git a/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll b/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll index 2c9effaff7cb..8952d7499428 100644 --- a/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll +++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll @@ -11,7 +11,7 @@ import FunctionInputsAndOutputs import semmle.code.cpp.models.Models /** - * A library function which returns data read from a network connection. + * A library function which returns data that may be read from a network connection. */ abstract class RemoteFlowFunction extends Function { /** @@ -19,3 +19,13 @@ abstract class RemoteFlowFunction extends Function { */ abstract predicate hasRemoteFlowSource(FunctionOutput output, string description); } + +/** + * A library function which returns data that is directly controlled by a user. + */ +abstract class LocalFlowFunction extends Function { + /** + * Holds if data described by `description` flows from `output` of a call to this function. + */ + abstract predicate hasLocalFlowSource(FunctionOutput output, string description); +} \ No newline at end of file diff --git a/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll b/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll index eff40572c025..62ef81175e5a 100644 --- a/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll +++ b/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll @@ -13,25 +13,35 @@ abstract class RemoteFlowSource extends DataFlow::Node { abstract string getSourceType(); } -private class TaintedReturnSource extends RemoteFlowSource { +/** A data flow source of local user input. */ +abstract class LocalFlowSource extends DataFlow::Node { + /** Gets a string that describes the type of this local flow source. */ + abstract string getSourceType(); +} + +private class RemoteReturnSource extends RemoteFlowSource { string sourceType; - TaintedReturnSource() { + RemoteReturnSource() { exists(RemoteFlowFunction func, CallInstruction instr, FunctionOutput output | asInstruction() = instr and instr.getStaticCallTarget() = func and func.hasRemoteFlowSource(output, sourceType) and - output.isReturnValue() + ( + output.isReturnValue() + or + output.isReturnValueDeref() + ) ) } override string getSourceType() { result = sourceType } } -private class TaintedParameterSource extends RemoteFlowSource { +private class RemoteParameterSource extends RemoteFlowSource { string sourceType; - TaintedParameterSource() { + RemoteParameterSource() { exists(RemoteFlowFunction func, WriteSideEffectInstruction instr, FunctionOutput output | asInstruction() = instr and instr.getPrimaryInstruction().(CallInstruction).getStaticCallTarget() = func and @@ -42,3 +52,49 @@ private class TaintedParameterSource extends RemoteFlowSource { override string getSourceType() { result = sourceType } } + +private class LocalReturnSource extends LocalFlowSource { + string sourceType; + + LocalReturnSource() { + exists(LocalFlowFunction func, CallInstruction instr, FunctionOutput output | + asInstruction() = instr and + instr.getStaticCallTarget() = func and + func.hasLocalFlowSource(output, sourceType) and + ( + output.isReturnValue() + or + output.isReturnValueDeref() + ) + ) + } + + override string getSourceType() { result = sourceType } +} + +private class LocalParameterSource extends LocalFlowSource { + string sourceType; + + LocalParameterSource() { + exists(LocalFlowFunction func, WriteSideEffectInstruction instr, FunctionOutput output | + asInstruction() = instr and + instr.getPrimaryInstruction().(CallInstruction).getStaticCallTarget() = func and + func.hasLocalFlowSource(output, sourceType) and + output.isParameterDeref(instr.getIndex()) + ) + } + + override string getSourceType() { result = sourceType } +} + +private class ArgvSource extends LocalFlowSource { + ArgvSource() { + exists(Parameter argv | + argv.hasName("argv") and + argv.getFunction().hasGlobalName("main") and + this.asExpr() = argv.getAnAccess() + ) + } + + override string getSourceType() { result = "a command line argument" } +} From 32b4b97208895940d2e19a2dbba7e49d4ca0cc72 Mon Sep 17 00:00:00 2001 From: Robert Marsh Date: Fri, 26 Jun 2020 15:46:03 -0700 Subject: [PATCH 02/15] C++: make ArgumentIndirectionNode public --- .../code/cpp/ir/dataflow/internal/DataFlowUtil.qll | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll index 65d2210f9a67..4ad748abfe4a 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll @@ -73,6 +73,11 @@ class Node extends TIRDataFlowNode { */ Expr asPartialDefinition() { result = this.(PartialDefinitionNode).getDefinedExpr() } + /** + * Gets the argument expression that points to this node, if any. + */ + Expr asArgumentIndirection() { result = this.(ArgumentIndirectionNode).getArgument() } + /** * DEPRECATED: See UninitializedNode. * @@ -389,13 +394,12 @@ class DefinitionByReferenceNode extends InstructionNode { /** * A node representing the memory pointed to by a function argument. - * - * This class exists only in order to override `toString`, which would - * otherwise be the default implementation inherited from `InstructionNode`. */ -private class ArgumentIndirectionNode extends InstructionNode { +class ArgumentIndirectionNode extends InstructionNode { override ReadSideEffectInstruction instr; + Expr getArgument() { result = instr.getArgumentDef().getUnconvertedResultExpression() } + override string toString() { result = "Argument " + instr.getIndex() + " indirection" } } From 97bf1d4b7cc7d7a1d1d59bccaac6fcc7d740e945 Mon Sep 17 00:00:00 2001 From: Robert Marsh Date: Wed, 1 Jul 2020 14:46:36 -0700 Subject: [PATCH 03/15] C++: use IR TT::Conf in UncontrolledFormatString --- .../CWE/CWE-134/UncontrolledFormatString.ql | 46 ++- .../CWE-134/semmle/argv/argvLocal.expected | 313 ++++++++++-------- .../CWE-134/semmle/funcs/funcsLocal.expected | 96 +++--- .../UncontrolledFormatString.expected | 27 ++ .../CWE/CWE-134/semmle/ifs/ifs.expected | 132 ++++---- 5 files changed, 342 insertions(+), 272 deletions(-) diff --git a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql index b64091263e09..3ac7ca4cc9d9 100644 --- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql +++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql @@ -13,24 +13,44 @@ */ import cpp -import semmle.code.cpp.security.Security +import semmle.code.cpp.ir.dataflow.TaintTracking +import DataFlow::PathGraph import semmle.code.cpp.security.FunctionWithWrappers -import semmle.code.cpp.security.TaintTracking -import TaintedWithPath +import semmle.code.cpp.security.FlowSources -class Configuration extends TaintTrackingConfiguration { - override predicate isSink(Element tainted) { - exists(PrintfLikeFunction printf | printf.outermostWrapperFunctionCall(tainted, _)) +class UncontrolledFormatStringConfiguration extends TaintTracking::Configuration { + UncontrolledFormatStringConfiguration() { this = "UncontrolledFormatStringConfiguration" } + + override predicate isSource(DataFlow::Node node) { + node instanceof RemoteFlowSource + or + // Even locally-sourced format strings can cause crashes or information leaks + node instanceof LocalFlowSource + } + + override predicate isSink(DataFlow::Node node) { + exists(PrintfLikeFunction printf | + printf.outermostWrapperFunctionCall(node.asArgumentIndirection(), _) + or + printf.outermostWrapperFunctionCall(node.asConvertedExpr(), _) + ) } } from - PrintfLikeFunction printf, Expr arg, PathNode sourceNode, PathNode sinkNode, - string printfFunction, Expr userValue, string cause + PrintfLikeFunction printf, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode, + string printfFunction, string cause, UncontrolledFormatStringConfiguration conf where - printf.outermostWrapperFunctionCall(arg, printfFunction) and - taintedWithPath(userValue, arg, sourceNode, sinkNode) and - isUserInput(userValue, cause) -select arg, sourceNode, sinkNode, + ( + printf.outermostWrapperFunctionCall(sinkNode.getNode().asArgumentIndirection(), printfFunction) or + printf.outermostWrapperFunctionCall(sinkNode.getNode().asConvertedExpr(), printfFunction) + ) and + ( + cause = sourceNode.getNode().(RemoteFlowSource).getSourceType() + or + cause = sourceNode.getNode().(LocalFlowSource).getSourceType() + ) and + conf.hasFlowPath(sourceNode, sinkNode) +select sinkNode, sourceNode, sinkNode, "The value of this argument may come from $@ and is being used as a formatting argument to " + - printfFunction, userValue, cause + printfFunction, sourceNode, cause diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected index 1d92afdeb040..cb8885ae85fc 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected @@ -1,329 +1,352 @@ edges +| argvLocal.c:9:25:9:31 | *correct | argvLocal.c:10:9:10:15 | (const char *)... | +| argvLocal.c:9:25:9:31 | correct | argvLocal.c:10:9:10:15 | (const char *)... | +| argvLocal.c:9:25:9:31 | correct | argvLocal.c:10:9:10:15 | correct | +| argvLocal.c:63:9:63:12 | argv | argvLocal.c:63:9:63:15 | access to array | +| argvLocal.c:64:15:64:18 | argv | argvLocal.c:64:15:64:21 | access to array | +| argvLocal.c:67:14:67:17 | argv | argvLocal.c:67:14:67:20 | access to array | | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | (const char *)... | -| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | (const char *)... | -| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | -| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | -| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | +| argvLocal.c:96:15:96:21 | access to array | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:96:15:96:21 | access to array | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:100:7:100:10 | argv | argvLocal.c:100:2:100:13 | Store | +| argvLocal.c:100:7:100:10 | argv | argvLocal.c:100:7:100:13 | access to array | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | (const char *)... | +| argvLocal.c:100:7:100:10 | argv | argvLocal.c:143:13:143:26 | Store | +| argvLocal.c:100:7:100:10 | argv | argvLocal.c:143:14:143:25 | ... , ... | +| argvLocal.c:100:7:100:10 | argv | argvLocal.c:143:24:143:25 | i1 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | (const char *)... | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... | +| argvLocal.c:102:15:102:16 | i1 | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:102:15:102:16 | i1 | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:105:14:105:17 | argv | argvLocal.c:105:14:105:17 | Store | +| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:10 | i2 | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | +| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:16 | i2 | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | (const char *)... | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | (const char *)... | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | +| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:10:110:11 | i2 | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... | +| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:16:111:17 | i2 | +| argvLocal.c:107:15:107:19 | access to array | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:107:15:107:19 | access to array | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:111:15:111:17 | * ... | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:111:15:111:17 | * ... | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:115:2:115:7 | call to memcpy | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:115:13:115:19 | (const void *)... | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:115:13:115:19 | access to array | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | Argument 0 indirection | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | Argument 0 indirection | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | Argument 0 indirection | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | Argument 0 indirection | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | Argument 0 indirection | +| argvLocal.c:117:15:117:16 | Argument 0 indirection | argvLocal.c:9:25:9:31 | *correct | | argvLocal.c:117:15:117:16 | Argument 0 indirection | argvLocal.c:117:15:117:16 | printWrapper output argument | +| argvLocal.c:117:15:117:16 | array to pointer conversion | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:117:15:117:16 | array to pointer conversion | argvLocal.c:9:25:9:31 | correct | | argvLocal.c:117:15:117:16 | array to pointer conversion | argvLocal.c:117:15:117:16 | printWrapper output argument | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | (const char *)... | -| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | i4 | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | Argument 0 indirection | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 | -| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... | -| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... | +| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | Argument 0 indirection | +| argvLocal.c:122:15:122:16 | Argument 0 indirection | argvLocal.c:9:25:9:31 | *correct | | argvLocal.c:122:15:122:16 | Argument 0 indirection | argvLocal.c:122:15:122:16 | printWrapper output argument | +| argvLocal.c:122:15:122:16 | i4 | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:122:15:122:16 | i4 | argvLocal.c:9:25:9:31 | correct | | argvLocal.c:122:15:122:16 | i4 | argvLocal.c:122:15:122:16 | printWrapper output argument | | argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... | -| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ | | argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... | | argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... | +| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | Argument 0 indirection | +| argvLocal.c:126:10:126:13 | argv | argvLocal.c:126:10:126:16 | access to array | +| argvLocal.c:126:10:126:13 | argv | argvLocal.c:126:10:126:19 | access to array | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 | +| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | Argument 0 indirection | +| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | Argument 0 indirection | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | Argument 0 indirection | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | Argument 0 indirection | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | (const char *)... | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | (const char *)... | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... | +| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | Argument 0 indirection | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... | +| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | Argument 0 indirection | +| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | Argument 0 indirection | +| argvLocal.c:128:15:128:16 | Argument 0 indirection | argvLocal.c:9:25:9:31 | *correct | +| argvLocal.c:128:15:128:16 | Argument 0 indirection | argvLocal.c:128:15:128:16 | printWrapper output argument | | argvLocal.c:128:15:128:16 | Argument 0 indirection | argvLocal.c:128:15:128:16 | printWrapper output argument | +| argvLocal.c:128:15:128:16 | array to pointer conversion | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:128:15:128:16 | array to pointer conversion | argvLocal.c:9:25:9:31 | correct | | argvLocal.c:128:15:128:16 | array to pointer conversion | argvLocal.c:128:15:128:16 | printWrapper output argument | | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | (const char *)... | -| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | ... + ... | +| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | Argument 0 indirection | | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... | | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... | -| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... | +| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | Argument 0 indirection | +| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | Argument 0 indirection | +| argvLocal.c:132:15:132:20 | ... + ... | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:132:15:132:20 | ... + ... | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:132:15:132:20 | Argument 0 indirection | argvLocal.c:9:25:9:31 | *correct | +| argvLocal.c:136:15:136:18 | -- ... | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:136:15:136:18 | -- ... | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:136:15:136:18 | Argument 0 indirection | argvLocal.c:9:25:9:31 | *correct | +| argvLocal.c:139:9:139:12 | argv | argvLocal.c:139:9:139:15 | access to array | +| argvLocal.c:140:15:140:18 | argv | argvLocal.c:140:15:140:21 | access to array | +| argvLocal.c:143:14:143:17 | argv | argvLocal.c:143:14:143:20 | access to array | +| argvLocal.c:145:15:145:16 | i7 | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:145:15:145:16 | i7 | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:149:11:149:14 | argv | argvLocal.c:149:2:149:17 | Store | +| argvLocal.c:149:11:149:14 | argv | argvLocal.c:149:11:149:17 | access to array | | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... | | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | -| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | -| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | -| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | +| argvLocal.c:151:15:151:16 | i8 | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:151:15:151:16 | i8 | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:156:23:156:26 | argv | argvLocal.c:156:2:156:7 | call to memcpy | +| argvLocal.c:156:23:156:26 | argv | argvLocal.c:156:23:156:29 | (const void *)... | +| argvLocal.c:156:23:156:26 | argv | argvLocal.c:156:23:156:29 | access to array | | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... | -| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... | -| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 | -| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 | -| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 | -| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 | +| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | Argument 0 indirection | | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 | | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 | +| argvLocal.c:158:15:158:16 | Argument 0 indirection | argvLocal.c:9:25:9:31 | *correct | +| argvLocal.c:158:15:158:16 | i9 | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:158:15:158:16 | i9 | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:163:22:163:25 | argv | argvLocal.c:163:2:163:7 | call to memcpy | +| argvLocal.c:163:22:163:25 | argv | argvLocal.c:163:22:163:28 | access to array | +| argvLocal.c:163:22:163:25 | argv | argvLocal.c:163:22:163:32 | (const void *)... | +| argvLocal.c:163:22:163:25 | argv | argvLocal.c:163:22:163:32 | ... + ... | | argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... | -| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... | -| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 | -| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 | -| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 | -| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 | +| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | Argument 0 indirection | | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 | | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 | +| argvLocal.c:165:15:165:17 | Argument 0 indirection | argvLocal.c:9:25:9:31 | *correct | +| argvLocal.c:165:15:165:17 | i91 | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:165:15:165:17 | i91 | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:168:18:168:21 | argv | argvLocal.c:168:12:168:24 | (int)... | +| argvLocal.c:168:18:168:21 | argv | argvLocal.c:168:12:168:24 | Store | +| argvLocal.c:168:18:168:21 | argv | argvLocal.c:168:18:168:24 | access to array | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... | -| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... | -| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | -| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | -| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | -| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | -| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | +| argvLocal.c:170:15:170:26 | (char *)... | argvLocal.c:9:25:9:31 | correct | +| argvLocal.c:170:15:170:26 | (char *)... | argvLocal.c:9:25:9:31 | correct | nodes | argvLocal.c:9:25:9:31 | *correct | semmle.label | *correct | | argvLocal.c:9:25:9:31 | correct | semmle.label | correct | -| argvLocal.c:10:9:10:15 | Chi | semmle.label | Chi | -| argvLocal.c:10:9:10:15 | Chi | semmle.label | Chi | +| argvLocal.c:9:25:9:31 | correct | semmle.label | correct | +| argvLocal.c:10:9:10:15 | (const char *)... | semmle.label | (const char *)... | +| argvLocal.c:10:9:10:15 | correct | semmle.label | correct | +| argvLocal.c:63:9:63:12 | argv | semmle.label | argv | +| argvLocal.c:63:9:63:12 | argv | semmle.label | argv | +| argvLocal.c:63:9:63:15 | access to array | semmle.label | access to array | +| argvLocal.c:64:15:64:18 | argv | semmle.label | argv | +| argvLocal.c:64:15:64:18 | argv | semmle.label | argv | +| argvLocal.c:64:15:64:21 | access to array | semmle.label | access to array | +| argvLocal.c:67:14:67:17 | argv | semmle.label | argv | +| argvLocal.c:67:14:67:17 | argv | semmle.label | argv | +| argvLocal.c:67:14:67:20 | access to array | semmle.label | access to array | +| argvLocal.c:95:9:95:12 | argv | semmle.label | argv | | argvLocal.c:95:9:95:12 | argv | semmle.label | argv | | argvLocal.c:95:9:95:12 | argv | semmle.label | argv | -| argvLocal.c:95:9:95:15 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:95:9:95:15 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array | | argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array | -| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array | +| argvLocal.c:96:15:96:18 | argv | semmle.label | argv | | argvLocal.c:96:15:96:18 | argv | semmle.label | argv | | argvLocal.c:96:15:96:18 | argv | semmle.label | argv | | argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array | | argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array | | argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array | +| argvLocal.c:100:2:100:13 | Store | semmle.label | Store | | argvLocal.c:100:7:100:10 | argv | semmle.label | argv | | argvLocal.c:100:7:100:10 | argv | semmle.label | argv | +| argvLocal.c:100:7:100:10 | argv | semmle.label | argv | +| argvLocal.c:100:7:100:13 | access to array | semmle.label | access to array | | argvLocal.c:101:9:101:10 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:101:9:101:10 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 | | argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 | | argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 | | argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 | | argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 | | argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 | +| argvLocal.c:105:14:105:17 | Store | semmle.label | Store | | argvLocal.c:105:14:105:17 | argv | semmle.label | argv | | argvLocal.c:105:14:105:17 | argv | semmle.label | argv | +| argvLocal.c:105:14:105:17 | argv | semmle.label | argv | +| argvLocal.c:106:9:106:10 | i2 | semmle.label | i2 | | argvLocal.c:106:9:106:13 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:106:9:106:13 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array | | argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array | | argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array | +| argvLocal.c:107:15:107:16 | i2 | semmle.label | i2 | | argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array | | argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array | | argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array | | argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... | | argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... | | argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... | +| argvLocal.c:110:10:110:11 | i2 | semmle.label | i2 | | argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... | | argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... | | argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... | +| argvLocal.c:111:16:111:17 | i2 | semmle.label | i2 | +| argvLocal.c:115:2:115:7 | call to memcpy | semmle.label | call to memcpy | | argvLocal.c:115:13:115:16 | argv | semmle.label | argv | | argvLocal.c:115:13:115:16 | argv | semmle.label | argv | +| argvLocal.c:115:13:115:19 | (const void *)... | semmle.label | (const void *)... | +| argvLocal.c:115:13:115:19 | access to array | semmle.label | access to array | | argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:116:9:116:10 | i3 | semmle.label | i3 | | argvLocal.c:117:15:117:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion | | argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion | -| argvLocal.c:117:15:117:16 | i3 | semmle.label | i3 | | argvLocal.c:117:15:117:16 | printWrapper output argument | semmle.label | printWrapper output argument | | argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 | | argvLocal.c:122:15:122:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 | | argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 | -| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 | | argvLocal.c:122:15:122:16 | printWrapper output argument | semmle.label | printWrapper output argument | | argvLocal.c:126:10:126:13 | argv | semmle.label | argv | | argvLocal.c:126:10:126:13 | argv | semmle.label | argv | +| argvLocal.c:126:10:126:13 | argv | semmle.label | argv | +| argvLocal.c:126:10:126:16 | access to array | semmle.label | access to array | +| argvLocal.c:126:10:126:19 | access to array | semmle.label | access to array | | argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:127:9:127:10 | i5 | semmle.label | i5 | +| argvLocal.c:127:9:127:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:128:15:128:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:128:15:128:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:128:15:128:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion | | argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion | -| argvLocal.c:128:15:128:16 | i5 | semmle.label | i5 | +| argvLocal.c:128:15:128:16 | printWrapper output argument | semmle.label | printWrapper output argument | | argvLocal.c:128:15:128:16 | printWrapper output argument | semmle.label | printWrapper output argument | | argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:131:9:131:14 | ... + ... | semmle.label | ... + ... | -| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... | +| argvLocal.c:131:9:131:14 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... | | argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... | +| argvLocal.c:132:15:132:20 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:132:15:132:20 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ | | argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... | | argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... | -| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... | -| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... | +| argvLocal.c:136:15:136:18 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:139:9:139:12 | argv | semmle.label | argv | +| argvLocal.c:139:9:139:12 | argv | semmle.label | argv | +| argvLocal.c:139:9:139:15 | access to array | semmle.label | access to array | +| argvLocal.c:140:15:140:18 | argv | semmle.label | argv | +| argvLocal.c:140:15:140:18 | argv | semmle.label | argv | +| argvLocal.c:140:15:140:21 | access to array | semmle.label | access to array | +| argvLocal.c:143:13:143:26 | Store | semmle.label | Store | +| argvLocal.c:143:14:143:17 | argv | semmle.label | argv | +| argvLocal.c:143:14:143:17 | argv | semmle.label | argv | +| argvLocal.c:143:14:143:20 | access to array | semmle.label | access to array | +| argvLocal.c:143:14:143:25 | ... , ... | semmle.label | ... , ... | +| argvLocal.c:143:24:143:25 | i1 | semmle.label | i1 | | argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 | | argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 | -| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 | | argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 | | argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 | | argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 | +| argvLocal.c:149:2:149:17 | Store | semmle.label | Store | | argvLocal.c:149:11:149:14 | argv | semmle.label | argv | | argvLocal.c:149:11:149:14 | argv | semmle.label | argv | +| argvLocal.c:149:11:149:14 | argv | semmle.label | argv | +| argvLocal.c:149:11:149:17 | access to array | semmle.label | access to array | | argvLocal.c:150:9:150:10 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:150:9:150:10 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 | | argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 | | argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 | | argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 | | argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 | | argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 | +| argvLocal.c:156:2:156:7 | call to memcpy | semmle.label | call to memcpy | | argvLocal.c:156:23:156:26 | argv | semmle.label | argv | | argvLocal.c:156:23:156:26 | argv | semmle.label | argv | +| argvLocal.c:156:23:156:29 | (const void *)... | semmle.label | (const void *)... | +| argvLocal.c:156:23:156:29 | access to array | semmle.label | access to array | | argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:157:9:157:10 | i9 | semmle.label | i9 | -| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 | +| argvLocal.c:158:15:158:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 | | argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 | +| argvLocal.c:163:2:163:7 | call to memcpy | semmle.label | call to memcpy | | argvLocal.c:163:22:163:25 | argv | semmle.label | argv | | argvLocal.c:163:22:163:25 | argv | semmle.label | argv | +| argvLocal.c:163:22:163:28 | access to array | semmle.label | access to array | +| argvLocal.c:163:22:163:32 | (const void *)... | semmle.label | (const void *)... | +| argvLocal.c:163:22:163:32 | ... + ... | semmle.label | ... + ... | | argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:164:9:164:11 | i91 | semmle.label | i91 | -| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 | +| argvLocal.c:165:15:165:17 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 | | argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 | +| argvLocal.c:168:12:168:24 | (int)... | semmle.label | (int)... | +| argvLocal.c:168:12:168:24 | Store | semmle.label | Store | | argvLocal.c:168:18:168:21 | argv | semmle.label | argv | | argvLocal.c:168:18:168:21 | argv | semmle.label | argv | -| argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... | +| argvLocal.c:168:18:168:21 | argv | semmle.label | argv | +| argvLocal.c:168:18:168:24 | access to array | semmle.label | access to array | | argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... | | argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 | | argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 | | argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 | | argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... | | argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... | | argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 | | argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 | -| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 | #select -| argvLocal.c:95:9:95:15 | access to array | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:95:9:95:12 | argv | argv | -| argvLocal.c:96:15:96:21 | access to array | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:96:15:96:18 | argv | argv | -| argvLocal.c:101:9:101:10 | i1 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | argv | -| argvLocal.c:102:15:102:16 | i1 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | argv | -| argvLocal.c:106:9:106:13 | access to array | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | argv | -| argvLocal.c:107:15:107:19 | access to array | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | argv | -| argvLocal.c:110:9:110:11 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | argv | -| argvLocal.c:111:15:111:17 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | argv | -| argvLocal.c:116:9:116:10 | i3 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv | -| argvLocal.c:117:15:117:16 | i3 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv | -| argvLocal.c:121:9:121:10 | i4 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv | -| argvLocal.c:122:15:122:16 | i4 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv | -| argvLocal.c:127:9:127:10 | i5 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | argv | -| argvLocal.c:128:15:128:16 | i5 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | argv | -| argvLocal.c:131:9:131:14 | ... + ... | argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | argv | -| argvLocal.c:132:15:132:20 | ... + ... | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | argv | -| argvLocal.c:135:9:135:12 | ... ++ | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv | -| argvLocal.c:136:15:136:18 | -- ... | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv | -| argvLocal.c:144:9:144:10 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | argv | -| argvLocal.c:145:15:145:16 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | argv | -| argvLocal.c:150:9:150:10 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:149:11:149:14 | argv | argv | -| argvLocal.c:151:15:151:16 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:149:11:149:14 | argv | argv | -| argvLocal.c:157:9:157:10 | i9 | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:156:23:156:26 | argv | argv | -| argvLocal.c:158:15:158:16 | i9 | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:156:23:156:26 | argv | argv | -| argvLocal.c:164:9:164:11 | i91 | argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:163:22:163:25 | argv | argv | -| argvLocal.c:165:15:165:17 | i91 | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:163:22:163:25 | argv | argv | -| argvLocal.c:169:18:169:20 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:168:18:168:21 | argv | argv | -| argvLocal.c:170:24:170:26 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:168:18:168:21 | argv | argv | +| argvLocal.c:95:9:95:15 | access to array | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:95:9:95:12 | argv | a command line argument | +| argvLocal.c:96:15:96:21 | access to array | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:96:15:96:18 | argv | a command line argument | +| argvLocal.c:101:9:101:10 | i1 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | a command line argument | +| argvLocal.c:102:15:102:16 | i1 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | a command line argument | +| argvLocal.c:106:9:106:13 | access to array | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | a command line argument | +| argvLocal.c:107:15:107:19 | access to array | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | a command line argument | +| argvLocal.c:110:9:110:11 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | a command line argument | +| argvLocal.c:111:15:111:17 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | a command line argument | +| argvLocal.c:127:9:127:10 | Argument 0 indirection | argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | a command line argument | +| argvLocal.c:128:15:128:16 | Argument 0 indirection | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | a command line argument | +| argvLocal.c:131:9:131:14 | Argument 0 indirection | argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | a command line argument | +| argvLocal.c:132:15:132:20 | Argument 0 indirection | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | a command line argument | +| argvLocal.c:144:9:144:10 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | a command line argument | +| argvLocal.c:145:15:145:16 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | a command line argument | +| argvLocal.c:150:9:150:10 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:149:11:149:14 | argv | a command line argument | +| argvLocal.c:151:15:151:16 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:149:11:149:14 | argv | a command line argument | +| argvLocal.c:169:18:169:20 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:168:18:168:21 | argv | a command line argument | +| argvLocal.c:170:24:170:26 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:168:18:168:21 | argv | a command line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected index a05e392ecf29..6bfc87e72dce 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected @@ -1,83 +1,83 @@ edges | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | (const char *)... | -| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | i1 | +| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | Argument 0 indirection | +| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:57:10:57:14 | access to array | | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | (const char *)... | -| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | e1 | -| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | (const char *)... | -| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 | -| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | (const char *)... | -| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | e1 | +| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | Argument 0 indirection | +| funcsLocal.c:21:8:21:9 | fread output argument | funcsLocal.c:22:15:22:16 | array to pointer conversion | | funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | (const char *)... | -| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | i3 | -| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | (const char *)... | -| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 | +| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | Argument 0 indirection | +| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:31:13:31:17 | Store | | funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | (const char *)... | -| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | (const char *)... | -| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 | -| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 | -| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 | | funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 | | funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | (const char *)... | -| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | i4 | -| funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | (const char *)... | -| funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | i4 | +| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | Argument 0 indirection | | funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | (const char *)... | -| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | i5 | -| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | (const char *)... | -| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 | -| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | (const char *)... | +| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | Argument 0 indirection | +| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:41:13:41:16 | Store | | funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | (const char *)... | | funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 | -| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 | -| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 | -| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 | | funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | (const char *)... | -| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | i6 | -| funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | (const char *)... | -| funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | i6 | +| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | Argument 0 indirection | nodes +| funcsLocal.c:16:8:16:9 | (void *)... | semmle.label | (void *)... | +| funcsLocal.c:16:8:16:9 | array to pointer conversion | semmle.label | array to pointer conversion | +| funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument | | funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument | | funcsLocal.c:16:8:16:9 | i1 | semmle.label | i1 | | funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... | -| funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... | -| funcsLocal.c:17:9:17:10 | i1 | semmle.label | i1 | +| funcsLocal.c:17:9:17:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| funcsLocal.c:21:8:21:9 | (void *)... | semmle.label | (void *)... | +| funcsLocal.c:21:8:21:9 | array to pointer conversion | semmle.label | array to pointer conversion | +| funcsLocal.c:21:8:21:9 | fread output argument | semmle.label | fread output argument | +| funcsLocal.c:21:8:21:9 | i2 | semmle.label | i2 | +| funcsLocal.c:22:15:22:16 | array to pointer conversion | semmle.label | array to pointer conversion | +| funcsLocal.c:26:2:26:6 | call to fgets | semmle.label | call to fgets | +| funcsLocal.c:26:8:26:9 | array to pointer conversion | semmle.label | array to pointer conversion | +| funcsLocal.c:26:8:26:9 | fgets output argument | semmle.label | fgets output argument | | funcsLocal.c:26:8:26:9 | fgets output argument | semmle.label | fgets output argument | | funcsLocal.c:26:8:26:9 | i3 | semmle.label | i3 | | funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... | -| funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... | -| funcsLocal.c:27:9:27:10 | i3 | semmle.label | i3 | +| funcsLocal.c:27:9:27:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| funcsLocal.c:31:13:31:17 | Store | semmle.label | Store | | funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets | | funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets | +| funcsLocal.c:31:19:31:21 | array to pointer conversion | semmle.label | array to pointer conversion | +| funcsLocal.c:31:19:31:21 | fgets output argument | semmle.label | fgets output argument | | funcsLocal.c:31:19:31:21 | fgets output argument | semmle.label | fgets output argument | | funcsLocal.c:31:19:31:21 | i41 | semmle.label | i41 | | funcsLocal.c:32:9:32:10 | (const char *)... | semmle.label | (const char *)... | -| funcsLocal.c:32:9:32:10 | (const char *)... | semmle.label | (const char *)... | -| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 | -| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 | +| funcsLocal.c:32:9:32:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | | funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 | +| funcsLocal.c:36:2:36:5 | call to gets | semmle.label | call to gets | +| funcsLocal.c:36:7:36:8 | array to pointer conversion | semmle.label | array to pointer conversion | +| funcsLocal.c:36:7:36:8 | gets output argument | semmle.label | gets output argument | | funcsLocal.c:36:7:36:8 | gets output argument | semmle.label | gets output argument | | funcsLocal.c:36:7:36:8 | i5 | semmle.label | i5 | | funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... | -| funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... | -| funcsLocal.c:37:9:37:10 | i5 | semmle.label | i5 | +| funcsLocal.c:37:9:37:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| funcsLocal.c:41:13:41:16 | Store | semmle.label | Store | | funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets | | funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets | +| funcsLocal.c:41:18:41:20 | array to pointer conversion | semmle.label | array to pointer conversion | +| funcsLocal.c:41:18:41:20 | gets output argument | semmle.label | gets output argument | | funcsLocal.c:41:18:41:20 | gets output argument | semmle.label | gets output argument | | funcsLocal.c:41:18:41:20 | i61 | semmle.label | i61 | | funcsLocal.c:42:9:42:10 | (const char *)... | semmle.label | (const char *)... | -| funcsLocal.c:42:9:42:10 | (const char *)... | semmle.label | (const char *)... | -| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 | +| funcsLocal.c:42:9:42:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | | funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 | -| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 | -| funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... | +| funcsLocal.c:46:2:46:5 | call to gets | semmle.label | call to gets | +| funcsLocal.c:46:7:46:9 | * ... | semmle.label | * ... | +| funcsLocal.c:52:8:52:11 | call to gets | semmle.label | call to gets | +| funcsLocal.c:52:13:52:15 | array to pointer conversion | semmle.label | array to pointer conversion | +| funcsLocal.c:52:13:52:15 | i81 | semmle.label | i81 | +| funcsLocal.c:57:10:57:14 | access to array | semmle.label | access to array | | funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... | -| funcsLocal.c:58:9:58:10 | e1 | semmle.label | e1 | +| funcsLocal.c:58:9:58:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | #select -| funcsLocal.c:17:9:17:10 | i1 | funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | i1 | fread | -| funcsLocal.c:27:9:27:10 | i3 | funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:26:8:26:9 | i3 | fgets | -| funcsLocal.c:32:9:32:10 | i4 | funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:13:31:17 | call to fgets | fgets | -| funcsLocal.c:32:9:32:10 | i4 | funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:19:31:21 | i41 | fgets | -| funcsLocal.c:37:9:37:10 | i5 | funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:36:7:36:8 | i5 | gets | -| funcsLocal.c:42:9:42:10 | i6 | funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:13:41:16 | call to gets | gets | -| funcsLocal.c:42:9:42:10 | i6 | funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:18:41:20 | i61 | gets | -| funcsLocal.c:58:9:58:10 | e1 | funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | e1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | i1 | fread | +| funcsLocal.c:17:9:17:10 | Argument 0 indirection | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | fread output argument | String read by fread | +| funcsLocal.c:27:9:27:10 | Argument 0 indirection | funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:26:8:26:9 | fgets output argument | String read by fgets | +| funcsLocal.c:32:9:32:10 | Argument 0 indirection | funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:19:31:21 | fgets output argument | String read by fgets | +| funcsLocal.c:37:9:37:10 | Argument 0 indirection | funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:36:7:36:8 | gets output argument | String read by gets | +| funcsLocal.c:42:9:42:10 | Argument 0 indirection | funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:18:41:20 | gets output argument | String read by gets | +| funcsLocal.c:58:9:58:10 | Argument 0 indirection | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | fread output argument | String read by fread | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected index 58e3dda09647..174459167d15 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected @@ -1,3 +1,30 @@ edges +| globalVars.c:8:7:8:10 | copy | globalVars.c:35:11:35:14 | copy | +| globalVars.c:11:22:11:25 | argv | globalVars.c:12:2:12:15 | Store | +| globalVars.c:11:22:11:25 | argv | globalVars.c:12:9:12:12 | argv | +| globalVars.c:11:22:11:25 | argv | globalVars.c:12:9:12:15 | access to array | +| globalVars.c:12:2:12:15 | Store | globalVars.c:8:7:8:10 | copy | +| globalVars.c:12:2:12:15 | Store | globalVars.c:8:7:8:10 | copy | +| globalVars.c:15:21:15:23 | val | globalVars.c:16:2:16:12 | Store | +| globalVars.c:16:2:16:12 | Store | globalVars.c:9:7:9:11 | copy2 | +| globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv | +| globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv | +| globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv | +| globalVars.c:35:11:35:14 | copy | globalVars.c:15:21:15:23 | val | nodes +| globalVars.c:8:7:8:10 | copy | semmle.label | copy | +| globalVars.c:8:7:8:10 | copy | semmle.label | copy | +| globalVars.c:9:7:9:11 | copy2 | semmle.label | copy2 | +| globalVars.c:11:22:11:25 | argv | semmle.label | argv | +| globalVars.c:11:22:11:25 | argv | semmle.label | argv | +| globalVars.c:11:22:11:25 | argv | semmle.label | argv | +| globalVars.c:12:2:12:15 | Store | semmle.label | Store | +| globalVars.c:12:9:12:12 | argv | semmle.label | argv | +| globalVars.c:12:9:12:15 | access to array | semmle.label | access to array | +| globalVars.c:15:21:15:23 | val | semmle.label | val | +| globalVars.c:16:2:16:12 | Store | semmle.label | Store | +| globalVars.c:24:11:24:14 | argv | semmle.label | argv | +| globalVars.c:24:11:24:14 | argv | semmle.label | argv | +| globalVars.c:24:11:24:14 | argv | semmle.label | argv | +| globalVars.c:35:11:35:14 | copy | semmle.label | copy | #select diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected index 62c36d0192d8..a04dc0d07032 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected @@ -1,157 +1,157 @@ edges +| ifs.c:61:8:61:11 | argv | ifs.c:61:8:61:14 | access to array | +| ifs.c:61:8:61:11 | argv | ifs.c:62:2:62:7 | Phi | | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | (const char *)... | -| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | (const char *)... | -| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | -| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | +| ifs.c:68:8:68:11 | argv | ifs.c:68:8:68:14 | access to array | +| ifs.c:68:8:68:11 | argv | ifs.c:69:2:69:7 | Phi | | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... | -| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... | -| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | -| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | -| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... | +| ifs.c:74:8:74:11 | argv | ifs.c:74:3:74:14 | Store | +| ifs.c:74:8:74:11 | argv | ifs.c:74:8:74:14 | access to array | | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... | | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 | | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 | -| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 | -| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 | +| ifs.c:80:8:80:11 | argv | ifs.c:80:3:80:14 | Store | +| ifs.c:80:8:80:11 | argv | ifs.c:80:8:80:14 | access to array | | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... | -| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... | -| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 | | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 | | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 | -| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 | -| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... | +| ifs.c:86:8:86:11 | argv | ifs.c:86:3:86:14 | Store | +| ifs.c:86:8:86:11 | argv | ifs.c:86:8:86:14 | access to array | | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... | | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 | | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 | -| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 | -| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 | +| ifs.c:92:8:92:11 | argv | ifs.c:92:3:92:14 | Store | +| ifs.c:92:8:92:11 | argv | ifs.c:92:8:92:14 | access to array | | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... | -| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... | -| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 | | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 | | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 | -| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 | -| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... | +| ifs.c:98:8:98:11 | argv | ifs.c:98:3:98:14 | Store | +| ifs.c:98:8:98:11 | argv | ifs.c:98:8:98:14 | access to array | | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... | | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 | | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 | -| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 | -| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 | +| ifs.c:105:8:105:11 | argv | ifs.c:105:3:105:14 | Store | +| ifs.c:105:8:105:11 | argv | ifs.c:105:8:105:14 | access to array | | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... | -| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... | -| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 | | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 | | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 | -| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 | -| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... | +| ifs.c:111:8:111:11 | argv | ifs.c:111:8:111:14 | access to array | +| ifs.c:111:8:111:11 | argv | ifs.c:112:2:112:7 | Phi | | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... | | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 | | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 | -| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 | -| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 | +| ifs.c:117:8:117:11 | argv | ifs.c:117:8:117:14 | access to array | +| ifs.c:117:8:117:11 | argv | ifs.c:118:2:118:7 | Phi | | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... | -| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... | -| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 | | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 | | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 | -| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 | -| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... | +| ifs.c:123:8:123:11 | argv | ifs.c:123:8:123:14 | access to array | +| ifs.c:123:8:123:11 | argv | ifs.c:124:2:124:7 | Phi | | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... | | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 | | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 | -| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 | -| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 | nodes | ifs.c:61:8:61:11 | argv | semmle.label | argv | | ifs.c:61:8:61:11 | argv | semmle.label | argv | +| ifs.c:61:8:61:11 | argv | semmle.label | argv | +| ifs.c:61:8:61:14 | access to array | semmle.label | access to array | +| ifs.c:62:2:62:7 | Phi | semmle.label | Phi | | ifs.c:62:9:62:10 | (const char *)... | semmle.label | (const char *)... | -| ifs.c:62:9:62:10 | (const char *)... | semmle.label | (const char *)... | -| ifs.c:62:9:62:10 | c7 | semmle.label | c7 | | ifs.c:62:9:62:10 | c7 | semmle.label | c7 | | ifs.c:62:9:62:10 | c7 | semmle.label | c7 | | ifs.c:68:8:68:11 | argv | semmle.label | argv | | ifs.c:68:8:68:11 | argv | semmle.label | argv | -| ifs.c:69:9:69:10 | (const char *)... | semmle.label | (const char *)... | +| ifs.c:68:8:68:11 | argv | semmle.label | argv | +| ifs.c:68:8:68:14 | access to array | semmle.label | access to array | +| ifs.c:69:2:69:7 | Phi | semmle.label | Phi | | ifs.c:69:9:69:10 | (const char *)... | semmle.label | (const char *)... | | ifs.c:69:9:69:10 | c8 | semmle.label | c8 | | ifs.c:69:9:69:10 | c8 | semmle.label | c8 | -| ifs.c:69:9:69:10 | c8 | semmle.label | c8 | +| ifs.c:74:3:74:14 | Store | semmle.label | Store | | ifs.c:74:8:74:11 | argv | semmle.label | argv | | ifs.c:74:8:74:11 | argv | semmle.label | argv | +| ifs.c:74:8:74:11 | argv | semmle.label | argv | +| ifs.c:74:8:74:14 | access to array | semmle.label | access to array | | ifs.c:75:9:75:10 | (const char *)... | semmle.label | (const char *)... | -| ifs.c:75:9:75:10 | (const char *)... | semmle.label | (const char *)... | -| ifs.c:75:9:75:10 | i1 | semmle.label | i1 | | ifs.c:75:9:75:10 | i1 | semmle.label | i1 | | ifs.c:75:9:75:10 | i1 | semmle.label | i1 | +| ifs.c:80:3:80:14 | Store | semmle.label | Store | | ifs.c:80:8:80:11 | argv | semmle.label | argv | | ifs.c:80:8:80:11 | argv | semmle.label | argv | -| ifs.c:81:9:81:10 | (const char *)... | semmle.label | (const char *)... | +| ifs.c:80:8:80:11 | argv | semmle.label | argv | +| ifs.c:80:8:80:14 | access to array | semmle.label | access to array | | ifs.c:81:9:81:10 | (const char *)... | semmle.label | (const char *)... | | ifs.c:81:9:81:10 | i2 | semmle.label | i2 | | ifs.c:81:9:81:10 | i2 | semmle.label | i2 | -| ifs.c:81:9:81:10 | i2 | semmle.label | i2 | +| ifs.c:86:3:86:14 | Store | semmle.label | Store | | ifs.c:86:8:86:11 | argv | semmle.label | argv | | ifs.c:86:8:86:11 | argv | semmle.label | argv | +| ifs.c:86:8:86:11 | argv | semmle.label | argv | +| ifs.c:86:8:86:14 | access to array | semmle.label | access to array | | ifs.c:87:9:87:10 | (const char *)... | semmle.label | (const char *)... | -| ifs.c:87:9:87:10 | (const char *)... | semmle.label | (const char *)... | -| ifs.c:87:9:87:10 | i3 | semmle.label | i3 | | ifs.c:87:9:87:10 | i3 | semmle.label | i3 | | ifs.c:87:9:87:10 | i3 | semmle.label | i3 | +| ifs.c:92:3:92:14 | Store | semmle.label | Store | | ifs.c:92:8:92:11 | argv | semmle.label | argv | | ifs.c:92:8:92:11 | argv | semmle.label | argv | -| ifs.c:93:9:93:10 | (const char *)... | semmle.label | (const char *)... | +| ifs.c:92:8:92:11 | argv | semmle.label | argv | +| ifs.c:92:8:92:14 | access to array | semmle.label | access to array | | ifs.c:93:9:93:10 | (const char *)... | semmle.label | (const char *)... | | ifs.c:93:9:93:10 | i4 | semmle.label | i4 | | ifs.c:93:9:93:10 | i4 | semmle.label | i4 | -| ifs.c:93:9:93:10 | i4 | semmle.label | i4 | +| ifs.c:98:3:98:14 | Store | semmle.label | Store | | ifs.c:98:8:98:11 | argv | semmle.label | argv | | ifs.c:98:8:98:11 | argv | semmle.label | argv | +| ifs.c:98:8:98:11 | argv | semmle.label | argv | +| ifs.c:98:8:98:14 | access to array | semmle.label | access to array | | ifs.c:99:9:99:10 | (const char *)... | semmle.label | (const char *)... | -| ifs.c:99:9:99:10 | (const char *)... | semmle.label | (const char *)... | -| ifs.c:99:9:99:10 | i5 | semmle.label | i5 | | ifs.c:99:9:99:10 | i5 | semmle.label | i5 | | ifs.c:99:9:99:10 | i5 | semmle.label | i5 | +| ifs.c:105:3:105:14 | Store | semmle.label | Store | | ifs.c:105:8:105:11 | argv | semmle.label | argv | | ifs.c:105:8:105:11 | argv | semmle.label | argv | -| ifs.c:106:9:106:10 | (const char *)... | semmle.label | (const char *)... | +| ifs.c:105:8:105:11 | argv | semmle.label | argv | +| ifs.c:105:8:105:14 | access to array | semmle.label | access to array | | ifs.c:106:9:106:10 | (const char *)... | semmle.label | (const char *)... | | ifs.c:106:9:106:10 | i6 | semmle.label | i6 | | ifs.c:106:9:106:10 | i6 | semmle.label | i6 | -| ifs.c:106:9:106:10 | i6 | semmle.label | i6 | | ifs.c:111:8:111:11 | argv | semmle.label | argv | | ifs.c:111:8:111:11 | argv | semmle.label | argv | +| ifs.c:111:8:111:11 | argv | semmle.label | argv | +| ifs.c:111:8:111:14 | access to array | semmle.label | access to array | +| ifs.c:112:2:112:7 | Phi | semmle.label | Phi | | ifs.c:112:9:112:10 | (const char *)... | semmle.label | (const char *)... | -| ifs.c:112:9:112:10 | (const char *)... | semmle.label | (const char *)... | -| ifs.c:112:9:112:10 | i7 | semmle.label | i7 | | ifs.c:112:9:112:10 | i7 | semmle.label | i7 | | ifs.c:112:9:112:10 | i7 | semmle.label | i7 | | ifs.c:117:8:117:11 | argv | semmle.label | argv | | ifs.c:117:8:117:11 | argv | semmle.label | argv | -| ifs.c:118:9:118:10 | (const char *)... | semmle.label | (const char *)... | +| ifs.c:117:8:117:11 | argv | semmle.label | argv | +| ifs.c:117:8:117:14 | access to array | semmle.label | access to array | +| ifs.c:118:2:118:7 | Phi | semmle.label | Phi | | ifs.c:118:9:118:10 | (const char *)... | semmle.label | (const char *)... | | ifs.c:118:9:118:10 | i8 | semmle.label | i8 | | ifs.c:118:9:118:10 | i8 | semmle.label | i8 | -| ifs.c:118:9:118:10 | i8 | semmle.label | i8 | | ifs.c:123:8:123:11 | argv | semmle.label | argv | | ifs.c:123:8:123:11 | argv | semmle.label | argv | +| ifs.c:123:8:123:11 | argv | semmle.label | argv | +| ifs.c:123:8:123:14 | access to array | semmle.label | access to array | +| ifs.c:124:2:124:7 | Phi | semmle.label | Phi | | ifs.c:124:9:124:10 | (const char *)... | semmle.label | (const char *)... | -| ifs.c:124:9:124:10 | (const char *)... | semmle.label | (const char *)... | -| ifs.c:124:9:124:10 | i9 | semmle.label | i9 | | ifs.c:124:9:124:10 | i9 | semmle.label | i9 | | ifs.c:124:9:124:10 | i9 | semmle.label | i9 | #select -| ifs.c:62:9:62:10 | c7 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:61:8:61:11 | argv | argv | -| ifs.c:69:9:69:10 | c8 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:68:8:68:11 | argv | argv | -| ifs.c:75:9:75:10 | i1 | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:74:8:74:11 | argv | argv | -| ifs.c:81:9:81:10 | i2 | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:80:8:80:11 | argv | argv | -| ifs.c:87:9:87:10 | i3 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:86:8:86:11 | argv | argv | -| ifs.c:93:9:93:10 | i4 | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:92:8:92:11 | argv | argv | -| ifs.c:99:9:99:10 | i5 | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:98:8:98:11 | argv | argv | -| ifs.c:106:9:106:10 | i6 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:105:8:105:11 | argv | argv | -| ifs.c:112:9:112:10 | i7 | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:111:8:111:11 | argv | argv | -| ifs.c:118:9:118:10 | i8 | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:117:8:117:11 | argv | argv | -| ifs.c:124:9:124:10 | i9 | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:123:8:123:11 | argv | argv | +| ifs.c:62:9:62:10 | c7 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:61:8:61:11 | argv | a command line argument | +| ifs.c:69:9:69:10 | c8 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:68:8:68:11 | argv | a command line argument | +| ifs.c:75:9:75:10 | i1 | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:74:8:74:11 | argv | a command line argument | +| ifs.c:81:9:81:10 | i2 | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:80:8:80:11 | argv | a command line argument | +| ifs.c:87:9:87:10 | i3 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:86:8:86:11 | argv | a command line argument | +| ifs.c:93:9:93:10 | i4 | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:92:8:92:11 | argv | a command line argument | +| ifs.c:99:9:99:10 | i5 | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:98:8:98:11 | argv | a command line argument | +| ifs.c:106:9:106:10 | i6 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:105:8:105:11 | argv | a command line argument | +| ifs.c:112:9:112:10 | i7 | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:111:8:111:11 | argv | a command line argument | +| ifs.c:118:9:118:10 | i8 | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:117:8:117:11 | argv | a command line argument | +| ifs.c:124:9:124:10 | i9 | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:123:8:123:11 | argv | a command line argument | From ad4a753daac846c8c37d5af38e0f65c2115ebbc9 Mon Sep 17 00:00:00 2001 From: Robert Marsh Date: Wed, 1 Jul 2020 14:48:19 -0700 Subject: [PATCH 04/15] C++: model taint from pointers to aliased buffers --- .../dataflow/internal/TaintTrackingUtil.qll | 18 +++++++ .../CWE-134/semmle/argv/argvLocal.expected | 48 +++++++++++++++++++ 2 files changed, 66 insertions(+) diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll index 2290bab05713..72c629c43aba 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll @@ -134,4 +134,22 @@ predicate modeledInstructionTaintStep(Instruction instrIn, Instruction instrOut) modelMidOut.isParameterDeref(indexMid) and modelMidIn.isParameter(indexMid) ) + or + // Taint flow from a pointer argument to an output, when the model specifies flow from the deref + // to that output, but the deref is not modeled in the IR for the caller. + exists( + CallInstruction call, ReadSideEffectInstruction read, Function func, + FunctionInput modelIn, FunctionOutput modelOut + | + read = callInput(call, modelIn) and + read.getArgumentDef() = instrIn and + not read.getSideEffect().isResultModeled() and + call.getStaticCallTarget() = func and + ( + func.(DataFlowFunction).hasDataFlow(modelIn, modelOut) + or + func.(TaintFunction).hasTaintFlow(modelIn, modelOut) + ) and + instrOut = callOutput(call, modelOut) + ) } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected index cb8885ae85fc..b7602d03fc5c 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected @@ -57,39 +57,56 @@ edges | argvLocal.c:115:13:115:16 | argv | argvLocal.c:115:13:115:19 | (const void *)... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:115:13:115:19 | access to array | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | Argument 0 indirection | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | Argument 0 indirection | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | Argument 0 indirection | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | Argument 0 indirection | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | Argument 0 indirection | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | Argument 0 indirection | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | Argument 0 indirection | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | Argument 0 indirection | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | Argument 0 indirection | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | Argument 0 indirection | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | Argument 0 indirection | | argvLocal.c:117:15:117:16 | Argument 0 indirection | argvLocal.c:9:25:9:31 | *correct | | argvLocal.c:117:15:117:16 | Argument 0 indirection | argvLocal.c:117:15:117:16 | printWrapper output argument | +| argvLocal.c:117:15:117:16 | Argument 0 indirection | argvLocal.c:117:15:117:16 | printWrapper output argument | | argvLocal.c:117:15:117:16 | array to pointer conversion | argvLocal.c:9:25:9:31 | correct | | argvLocal.c:117:15:117:16 | array to pointer conversion | argvLocal.c:9:25:9:31 | correct | | argvLocal.c:117:15:117:16 | array to pointer conversion | argvLocal.c:117:15:117:16 | printWrapper output argument | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | (const char *)... | +| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | Argument 0 indirection | +| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | Argument 0 indirection | +| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | Argument 0 indirection | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | Argument 0 indirection | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... | +| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | Argument 0 indirection | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | Argument 0 indirection | +| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | Argument 0 indirection | | argvLocal.c:122:15:122:16 | Argument 0 indirection | argvLocal.c:9:25:9:31 | *correct | | argvLocal.c:122:15:122:16 | Argument 0 indirection | argvLocal.c:122:15:122:16 | printWrapper output argument | +| argvLocal.c:122:15:122:16 | Argument 0 indirection | argvLocal.c:122:15:122:16 | printWrapper output argument | | argvLocal.c:122:15:122:16 | i4 | argvLocal.c:9:25:9:31 | correct | | argvLocal.c:122:15:122:16 | i4 | argvLocal.c:9:25:9:31 | correct | | argvLocal.c:122:15:122:16 | i4 | argvLocal.c:122:15:122:16 | printWrapper output argument | | argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... | +| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | Argument 0 indirection | | argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... | | argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... | | argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | Argument 0 indirection | +| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | Argument 0 indirection | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:126:10:126:16 | access to array | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:126:10:126:19 | access to array | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... | @@ -142,6 +159,8 @@ edges | argvLocal.c:156:23:156:26 | argv | argvLocal.c:156:23:156:29 | (const void *)... | | argvLocal.c:156:23:156:26 | argv | argvLocal.c:156:23:156:29 | access to array | | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... | +| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | Argument 0 indirection | +| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | Argument 0 indirection | | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | Argument 0 indirection | | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 | | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 | @@ -153,6 +172,8 @@ edges | argvLocal.c:163:22:163:25 | argv | argvLocal.c:163:22:163:32 | (const void *)... | | argvLocal.c:163:22:163:25 | argv | argvLocal.c:163:22:163:32 | ... + ... | | argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... | +| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | Argument 0 indirection | +| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | Argument 0 indirection | | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | Argument 0 indirection | | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 | | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 | @@ -233,18 +254,27 @@ nodes | argvLocal.c:115:2:115:7 | call to memcpy | semmle.label | call to memcpy | | argvLocal.c:115:13:115:16 | argv | semmle.label | argv | | argvLocal.c:115:13:115:16 | argv | semmle.label | argv | +| argvLocal.c:115:13:115:16 | argv | semmle.label | argv | | argvLocal.c:115:13:115:19 | (const void *)... | semmle.label | (const void *)... | | argvLocal.c:115:13:115:19 | access to array | semmle.label | access to array | | argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... | +| argvLocal.c:116:9:116:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:117:15:117:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:117:15:117:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:117:15:117:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion | | argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion | | argvLocal.c:117:15:117:16 | printWrapper output argument | semmle.label | printWrapper output argument | +| argvLocal.c:117:15:117:16 | printWrapper output argument | semmle.label | printWrapper output argument | | argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... | +| argvLocal.c:121:9:121:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:122:15:122:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:122:15:122:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:122:15:122:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 | | argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 | | argvLocal.c:122:15:122:16 | printWrapper output argument | semmle.label | printWrapper output argument | +| argvLocal.c:122:15:122:16 | printWrapper output argument | semmle.label | printWrapper output argument | | argvLocal.c:126:10:126:13 | argv | semmle.label | argv | | argvLocal.c:126:10:126:13 | argv | semmle.label | argv | | argvLocal.c:126:10:126:13 | argv | semmle.label | argv | @@ -266,9 +296,11 @@ nodes | argvLocal.c:132:15:132:20 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:132:15:132:20 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... | +| argvLocal.c:135:9:135:12 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... | | argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... | | argvLocal.c:136:15:136:18 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:136:15:136:18 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:139:9:139:12 | argv | semmle.label | argv | | argvLocal.c:139:9:139:12 | argv | semmle.label | argv | | argvLocal.c:139:9:139:15 | access to array | semmle.label | access to array | @@ -301,19 +333,25 @@ nodes | argvLocal.c:156:2:156:7 | call to memcpy | semmle.label | call to memcpy | | argvLocal.c:156:23:156:26 | argv | semmle.label | argv | | argvLocal.c:156:23:156:26 | argv | semmle.label | argv | +| argvLocal.c:156:23:156:26 | argv | semmle.label | argv | | argvLocal.c:156:23:156:29 | (const void *)... | semmle.label | (const void *)... | | argvLocal.c:156:23:156:29 | access to array | semmle.label | access to array | | argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... | +| argvLocal.c:157:9:157:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:158:15:158:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:158:15:158:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 | | argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 | | argvLocal.c:163:2:163:7 | call to memcpy | semmle.label | call to memcpy | | argvLocal.c:163:22:163:25 | argv | semmle.label | argv | | argvLocal.c:163:22:163:25 | argv | semmle.label | argv | +| argvLocal.c:163:22:163:25 | argv | semmle.label | argv | | argvLocal.c:163:22:163:28 | access to array | semmle.label | access to array | | argvLocal.c:163:22:163:32 | (const void *)... | semmle.label | (const void *)... | | argvLocal.c:163:22:163:32 | ... + ... | semmle.label | ... + ... | | argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... | +| argvLocal.c:164:9:164:11 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:165:15:165:17 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:165:15:165:17 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 | | argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 | @@ -340,13 +378,23 @@ nodes | argvLocal.c:107:15:107:19 | access to array | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | a command line argument | | argvLocal.c:110:9:110:11 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | a command line argument | | argvLocal.c:111:15:111:17 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | a command line argument | +| argvLocal.c:116:9:116:10 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | a command line argument | +| argvLocal.c:117:15:117:16 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | a command line argument | +| argvLocal.c:121:9:121:10 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | a command line argument | +| argvLocal.c:122:15:122:16 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | a command line argument | | argvLocal.c:127:9:127:10 | Argument 0 indirection | argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | a command line argument | | argvLocal.c:128:15:128:16 | Argument 0 indirection | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | a command line argument | | argvLocal.c:131:9:131:14 | Argument 0 indirection | argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | a command line argument | | argvLocal.c:132:15:132:20 | Argument 0 indirection | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | a command line argument | +| argvLocal.c:135:9:135:12 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | a command line argument | +| argvLocal.c:136:15:136:18 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | a command line argument | | argvLocal.c:144:9:144:10 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | a command line argument | | argvLocal.c:145:15:145:16 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | a command line argument | | argvLocal.c:150:9:150:10 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:149:11:149:14 | argv | a command line argument | | argvLocal.c:151:15:151:16 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:149:11:149:14 | argv | a command line argument | +| argvLocal.c:157:9:157:10 | Argument 0 indirection | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:156:23:156:26 | argv | a command line argument | +| argvLocal.c:158:15:158:16 | Argument 0 indirection | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:156:23:156:26 | argv | a command line argument | +| argvLocal.c:164:9:164:11 | Argument 0 indirection | argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:163:22:163:25 | argv | a command line argument | +| argvLocal.c:165:15:165:17 | Argument 0 indirection | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:163:22:163:25 | argv | a command line argument | | argvLocal.c:169:18:169:20 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:168:18:168:21 | argv | a command line argument | | argvLocal.c:170:24:170:26 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:168:18:168:21 | argv | a command line argument | From 6cff8aa8f079c1ea8829a498dbc095c502567989 Mon Sep 17 00:00:00 2001 From: Robert Marsh Date: Mon, 10 Aug 2020 16:42:44 -0400 Subject: [PATCH 05/15] C++: Grammar/style fixes from code review Co-authored-by: Jonas Jensen --- cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll | 6 +++--- cpp/ql/src/semmle/code/cpp/security/FlowSources.qll | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll b/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll index 8952d7499428..c0c95b387567 100644 --- a/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll +++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll @@ -11,7 +11,7 @@ import FunctionInputsAndOutputs import semmle.code.cpp.models.Models /** - * A library function which returns data that may be read from a network connection. + * A library function that returns data that may be read from a network connection. */ abstract class RemoteFlowFunction extends Function { /** @@ -21,11 +21,11 @@ abstract class RemoteFlowFunction extends Function { } /** - * A library function which returns data that is directly controlled by a user. + * A library function that returns data that is directly controlled by a user. */ abstract class LocalFlowFunction extends Function { /** * Holds if data described by `description` flows from `output` of a call to this function. */ abstract predicate hasLocalFlowSource(FunctionOutput output, string description); -} \ No newline at end of file +} diff --git a/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll b/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll index 62ef81175e5a..b83fcf720682 100644 --- a/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll +++ b/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll @@ -96,5 +96,5 @@ private class ArgvSource extends LocalFlowSource { ) } - override string getSourceType() { result = "a command line argument" } + override string getSourceType() { result = "a command-line argument" } } From 9f185a190b58150c37bb03ed784fb919653d2eed Mon Sep 17 00:00:00 2001 From: Robert Marsh Date: Mon, 10 Aug 2020 14:40:05 -0700 Subject: [PATCH 06/15] C++: common superclass for Remote/LocalFlowSource --- .../CWE/CWE-134/UncontrolledFormatString.ql | 11 ++--------- .../src/semmle/code/cpp/security/FlowSources.qll | 14 +++++++------- 2 files changed, 9 insertions(+), 16 deletions(-) diff --git a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql index 3ac7ca4cc9d9..c5863d09b719 100644 --- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql +++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql @@ -22,10 +22,7 @@ class UncontrolledFormatStringConfiguration extends TaintTracking::Configuration UncontrolledFormatStringConfiguration() { this = "UncontrolledFormatStringConfiguration" } override predicate isSource(DataFlow::Node node) { - node instanceof RemoteFlowSource - or - // Even locally-sourced format strings can cause crashes or information leaks - node instanceof LocalFlowSource + node instanceof FlowSource } override predicate isSink(DataFlow::Node node) { @@ -45,11 +42,7 @@ where printf.outermostWrapperFunctionCall(sinkNode.getNode().asArgumentIndirection(), printfFunction) or printf.outermostWrapperFunctionCall(sinkNode.getNode().asConvertedExpr(), printfFunction) ) and - ( - cause = sourceNode.getNode().(RemoteFlowSource).getSourceType() - or - cause = sourceNode.getNode().(LocalFlowSource).getSourceType() - ) and + cause = sourceNode.getNode().(FlowSource).getSourceType()and conf.hasFlowPath(sourceNode, sinkNode) select sinkNode, sourceNode, sinkNode, "The value of this argument may come from $@ and is being used as a formatting argument to " + diff --git a/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll b/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll index b83fcf720682..4fe5d1bb8736 100644 --- a/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll +++ b/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll @@ -7,17 +7,17 @@ import semmle.code.cpp.ir.dataflow.DataFlow private import semmle.code.cpp.ir.IR import semmle.code.cpp.models.interfaces.FlowSource -/** A data flow source of remote user input. */ -abstract class RemoteFlowSource extends DataFlow::Node { - /** Gets a string that describes the type of this remote flow source. */ +/** A data flow source of user input, whether local or remote. */ +abstract class FlowSource extends DataFlow::Node { + /** Gets a string that describes the type of this flow source. */ abstract string getSourceType(); } +/** A data flow source of remote user input. */ +abstract class RemoteFlowSource extends FlowSource { } + /** A data flow source of local user input. */ -abstract class LocalFlowSource extends DataFlow::Node { - /** Gets a string that describes the type of this local flow source. */ - abstract string getSourceType(); -} +abstract class LocalFlowSource extends FlowSource { } private class RemoteReturnSource extends RemoteFlowSource { string sourceType; From 69f36b54b38a0540a011922f508d951eafaefd6f Mon Sep 17 00:00:00 2001 From: Robert Marsh Date: Mon, 10 Aug 2020 16:05:08 -0700 Subject: [PATCH 07/15] C++: fix formatting --- cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql index c5863d09b719..910f30eaad7b 100644 --- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql +++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql @@ -42,7 +42,7 @@ where printf.outermostWrapperFunctionCall(sinkNode.getNode().asArgumentIndirection(), printfFunction) or printf.outermostWrapperFunctionCall(sinkNode.getNode().asConvertedExpr(), printfFunction) ) and - cause = sourceNode.getNode().(FlowSource).getSourceType()and + cause = sourceNode.getNode().(FlowSource).getSourceType() and conf.hasFlowPath(sourceNode, sinkNode) select sinkNode, sourceNode, sinkNode, "The value of this argument may come from $@ and is being used as a formatting argument to " + From fe51cd637976d82336f2f59fd13f3d2f71eb55cd Mon Sep 17 00:00:00 2001 From: Robert Marsh Date: Mon, 10 Aug 2020 16:34:44 -0700 Subject: [PATCH 08/15] C++: import IR virtual dispatch directly Prevents DefaultTaintTracking dataflow configurations from being active --- .../cpp/security/FunctionWithWrappers.qll | 17 +- .../CWE-134/semmle/argv/argvLocal.expected | 338 ++---------------- .../CWE-134/semmle/funcs/funcsLocal.expected | 57 --- .../UncontrolledFormatString.expected | 27 -- .../CWE/CWE-134/semmle/ifs/ifs.expected | 132 +------ 5 files changed, 55 insertions(+), 516 deletions(-) diff --git a/cpp/ql/src/semmle/code/cpp/security/FunctionWithWrappers.qll b/cpp/ql/src/semmle/code/cpp/security/FunctionWithWrappers.qll index 5451011b3511..b7ede454f787 100644 --- a/cpp/ql/src/semmle/code/cpp/security/FunctionWithWrappers.qll +++ b/cpp/ql/src/semmle/code/cpp/security/FunctionWithWrappers.qll @@ -17,7 +17,8 @@ import cpp import PrintfLike -private import TaintTracking +private import semmle.code.cpp.ir.dataflow.internal.DataFlowDispatch as Dispatch +private import semmle.code.cpp.ir.IR as IR bindingset[index] private string toCause(Function func, int index) { @@ -169,6 +170,20 @@ abstract class FunctionWithWrappers extends Function { } } +/** + * Resolve potential target function(s) for `call`. + * + * If `call` is a call through a function pointer (`ExprCall`) or + * targets a virtual method, simple data flow analysis is performed + * in order to identify target(s). + */ +private Function resolveCall(Call call) { + exists(IR::CallInstruction callInstruction | + callInstruction.getAST() = call and + result = Dispatch::viableCallable(callInstruction) + ) +} + /** * A `printf`-like formatting function. */ diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected index b7602d03fc5c..6ecbb1f28e61 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected @@ -1,400 +1,118 @@ edges -| argvLocal.c:9:25:9:31 | *correct | argvLocal.c:10:9:10:15 | (const char *)... | -| argvLocal.c:9:25:9:31 | correct | argvLocal.c:10:9:10:15 | (const char *)... | -| argvLocal.c:9:25:9:31 | correct | argvLocal.c:10:9:10:15 | correct | -| argvLocal.c:63:9:63:12 | argv | argvLocal.c:63:9:63:15 | access to array | -| argvLocal.c:64:15:64:18 | argv | argvLocal.c:64:15:64:21 | access to array | -| argvLocal.c:67:14:67:17 | argv | argvLocal.c:67:14:67:20 | access to array | -| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | (const char *)... | | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | -| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | -| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | -| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | -| argvLocal.c:96:15:96:21 | access to array | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:96:15:96:21 | access to array | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:100:2:100:13 | Store | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:100:7:100:13 | access to array | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:143:13:143:26 | Store | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:143:14:143:25 | ... , ... | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:143:24:143:25 | i1 | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | (const char *)... | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | -| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | -| argvLocal.c:102:15:102:16 | i1 | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:102:15:102:16 | i1 | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:105:14:105:17 | Store | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:10 | i2 | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:16 | i2 | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | (const char *)... | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:10:110:11 | i2 | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:16:111:17 | i2 | -| argvLocal.c:107:15:107:19 | access to array | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:107:15:107:19 | access to array | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:111:15:111:17 | * ... | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:111:15:111:17 | * ... | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:115:2:115:7 | call to memcpy | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:115:13:115:19 | (const void *)... | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:115:13:115:19 | access to array | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | Argument 0 indirection | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | Argument 0 indirection | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | Argument 0 indirection | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | Argument 0 indirection | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | Argument 0 indirection | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | Argument 0 indirection | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | Argument 0 indirection | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | Argument 0 indirection | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | Argument 0 indirection | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | Argument 0 indirection | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | Argument 0 indirection | -| argvLocal.c:117:15:117:16 | Argument 0 indirection | argvLocal.c:9:25:9:31 | *correct | -| argvLocal.c:117:15:117:16 | Argument 0 indirection | argvLocal.c:117:15:117:16 | printWrapper output argument | | argvLocal.c:117:15:117:16 | Argument 0 indirection | argvLocal.c:117:15:117:16 | printWrapper output argument | -| argvLocal.c:117:15:117:16 | array to pointer conversion | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:117:15:117:16 | array to pointer conversion | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:117:15:117:16 | array to pointer conversion | argvLocal.c:117:15:117:16 | printWrapper output argument | -| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | (const char *)... | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | Argument 0 indirection | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | Argument 0 indirection | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | Argument 0 indirection | -| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | Argument 0 indirection | -| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 | -| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 | -| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | Argument 0 indirection | -| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... | -| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... | -| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | Argument 0 indirection | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | Argument 0 indirection | -| argvLocal.c:122:15:122:16 | Argument 0 indirection | argvLocal.c:9:25:9:31 | *correct | | argvLocal.c:122:15:122:16 | Argument 0 indirection | argvLocal.c:122:15:122:16 | printWrapper output argument | -| argvLocal.c:122:15:122:16 | Argument 0 indirection | argvLocal.c:122:15:122:16 | printWrapper output argument | -| argvLocal.c:122:15:122:16 | i4 | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:122:15:122:16 | i4 | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:122:15:122:16 | i4 | argvLocal.c:122:15:122:16 | printWrapper output argument | -| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... | | argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | Argument 0 indirection | -| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... | -| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... | -| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | Argument 0 indirection | | argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | Argument 0 indirection | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:126:10:126:16 | access to array | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:126:10:126:19 | access to array | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | Argument 0 indirection | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | Argument 0 indirection | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | Argument 0 indirection | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | Argument 0 indirection | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | (const char *)... | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | Argument 0 indirection | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | Argument 0 indirection | -| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | Argument 0 indirection | -| argvLocal.c:128:15:128:16 | Argument 0 indirection | argvLocal.c:9:25:9:31 | *correct | -| argvLocal.c:128:15:128:16 | Argument 0 indirection | argvLocal.c:128:15:128:16 | printWrapper output argument | | argvLocal.c:128:15:128:16 | Argument 0 indirection | argvLocal.c:128:15:128:16 | printWrapper output argument | -| argvLocal.c:128:15:128:16 | array to pointer conversion | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:128:15:128:16 | array to pointer conversion | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:128:15:128:16 | array to pointer conversion | argvLocal.c:128:15:128:16 | printWrapper output argument | -| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | (const char *)... | | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | Argument 0 indirection | -| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... | -| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... | -| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | Argument 0 indirection | | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | Argument 0 indirection | -| argvLocal.c:132:15:132:20 | ... + ... | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:132:15:132:20 | ... + ... | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:132:15:132:20 | Argument 0 indirection | argvLocal.c:9:25:9:31 | *correct | -| argvLocal.c:136:15:136:18 | -- ... | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:136:15:136:18 | -- ... | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:136:15:136:18 | Argument 0 indirection | argvLocal.c:9:25:9:31 | *correct | -| argvLocal.c:139:9:139:12 | argv | argvLocal.c:139:9:139:15 | access to array | -| argvLocal.c:140:15:140:18 | argv | argvLocal.c:140:15:140:21 | access to array | -| argvLocal.c:143:14:143:17 | argv | argvLocal.c:143:14:143:20 | access to array | -| argvLocal.c:145:15:145:16 | i7 | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:145:15:145:16 | i7 | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:149:11:149:14 | argv | argvLocal.c:149:2:149:17 | Store | -| argvLocal.c:149:11:149:14 | argv | argvLocal.c:149:11:149:17 | access to array | -| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... | | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | -| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | -| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | -| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | -| argvLocal.c:151:15:151:16 | i8 | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:151:15:151:16 | i8 | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:156:23:156:26 | argv | argvLocal.c:156:2:156:7 | call to memcpy | -| argvLocal.c:156:23:156:26 | argv | argvLocal.c:156:23:156:29 | (const void *)... | -| argvLocal.c:156:23:156:26 | argv | argvLocal.c:156:23:156:29 | access to array | -| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... | | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | Argument 0 indirection | | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | Argument 0 indirection | -| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | Argument 0 indirection | -| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 | -| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 | -| argvLocal.c:158:15:158:16 | Argument 0 indirection | argvLocal.c:9:25:9:31 | *correct | -| argvLocal.c:158:15:158:16 | i9 | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:158:15:158:16 | i9 | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:163:22:163:25 | argv | argvLocal.c:163:2:163:7 | call to memcpy | -| argvLocal.c:163:22:163:25 | argv | argvLocal.c:163:22:163:28 | access to array | -| argvLocal.c:163:22:163:25 | argv | argvLocal.c:163:22:163:32 | (const void *)... | -| argvLocal.c:163:22:163:25 | argv | argvLocal.c:163:22:163:32 | ... + ... | -| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... | | argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | Argument 0 indirection | | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | Argument 0 indirection | -| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | Argument 0 indirection | -| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 | -| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 | -| argvLocal.c:165:15:165:17 | Argument 0 indirection | argvLocal.c:9:25:9:31 | *correct | -| argvLocal.c:165:15:165:17 | i91 | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:165:15:165:17 | i91 | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:168:18:168:21 | argv | argvLocal.c:168:12:168:24 | (int)... | -| argvLocal.c:168:18:168:21 | argv | argvLocal.c:168:12:168:24 | Store | -| argvLocal.c:168:18:168:21 | argv | argvLocal.c:168:18:168:24 | access to array | -| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... | -| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | -| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | -| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... | -| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... | -| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | -| argvLocal.c:170:15:170:26 | (char *)... | argvLocal.c:9:25:9:31 | correct | -| argvLocal.c:170:15:170:26 | (char *)... | argvLocal.c:9:25:9:31 | correct | nodes -| argvLocal.c:9:25:9:31 | *correct | semmle.label | *correct | -| argvLocal.c:9:25:9:31 | correct | semmle.label | correct | -| argvLocal.c:9:25:9:31 | correct | semmle.label | correct | -| argvLocal.c:10:9:10:15 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:10:9:10:15 | correct | semmle.label | correct | -| argvLocal.c:63:9:63:12 | argv | semmle.label | argv | -| argvLocal.c:63:9:63:12 | argv | semmle.label | argv | -| argvLocal.c:63:9:63:15 | access to array | semmle.label | access to array | -| argvLocal.c:64:15:64:18 | argv | semmle.label | argv | -| argvLocal.c:64:15:64:18 | argv | semmle.label | argv | -| argvLocal.c:64:15:64:21 | access to array | semmle.label | access to array | -| argvLocal.c:67:14:67:17 | argv | semmle.label | argv | -| argvLocal.c:67:14:67:17 | argv | semmle.label | argv | -| argvLocal.c:67:14:67:20 | access to array | semmle.label | access to array | -| argvLocal.c:95:9:95:12 | argv | semmle.label | argv | | argvLocal.c:95:9:95:12 | argv | semmle.label | argv | -| argvLocal.c:95:9:95:12 | argv | semmle.label | argv | -| argvLocal.c:95:9:95:15 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array | | argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array | | argvLocal.c:96:15:96:18 | argv | semmle.label | argv | -| argvLocal.c:96:15:96:18 | argv | semmle.label | argv | -| argvLocal.c:96:15:96:18 | argv | semmle.label | argv | -| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array | | argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array | -| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array | -| argvLocal.c:100:2:100:13 | Store | semmle.label | Store | -| argvLocal.c:100:7:100:10 | argv | semmle.label | argv | | argvLocal.c:100:7:100:10 | argv | semmle.label | argv | -| argvLocal.c:100:7:100:10 | argv | semmle.label | argv | -| argvLocal.c:100:7:100:13 | access to array | semmle.label | access to array | -| argvLocal.c:101:9:101:10 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 | | argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 | | argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 | -| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 | -| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 | -| argvLocal.c:105:14:105:17 | Store | semmle.label | Store | -| argvLocal.c:105:14:105:17 | argv | semmle.label | argv | -| argvLocal.c:105:14:105:17 | argv | semmle.label | argv | | argvLocal.c:105:14:105:17 | argv | semmle.label | argv | -| argvLocal.c:106:9:106:10 | i2 | semmle.label | i2 | -| argvLocal.c:106:9:106:13 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array | -| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array | -| argvLocal.c:107:15:107:16 | i2 | semmle.label | i2 | -| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array | -| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array | | argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array | -| argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... | -| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... | -| argvLocal.c:110:10:110:11 | i2 | semmle.label | i2 | -| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... | | argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... | -| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... | -| argvLocal.c:111:16:111:17 | i2 | semmle.label | i2 | -| argvLocal.c:115:2:115:7 | call to memcpy | semmle.label | call to memcpy | -| argvLocal.c:115:13:115:16 | argv | semmle.label | argv | -| argvLocal.c:115:13:115:16 | argv | semmle.label | argv | | argvLocal.c:115:13:115:16 | argv | semmle.label | argv | -| argvLocal.c:115:13:115:19 | (const void *)... | semmle.label | (const void *)... | -| argvLocal.c:115:13:115:19 | access to array | semmle.label | access to array | -| argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:116:9:116:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:117:15:117:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:117:15:117:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | -| argvLocal.c:117:15:117:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | -| argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion | -| argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion | -| argvLocal.c:117:15:117:16 | printWrapper output argument | semmle.label | printWrapper output argument | | argvLocal.c:117:15:117:16 | printWrapper output argument | semmle.label | printWrapper output argument | -| argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:121:9:121:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:122:15:122:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:122:15:122:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | -| argvLocal.c:122:15:122:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | -| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 | -| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 | -| argvLocal.c:122:15:122:16 | printWrapper output argument | semmle.label | printWrapper output argument | | argvLocal.c:122:15:122:16 | printWrapper output argument | semmle.label | printWrapper output argument | | argvLocal.c:126:10:126:13 | argv | semmle.label | argv | -| argvLocal.c:126:10:126:13 | argv | semmle.label | argv | -| argvLocal.c:126:10:126:13 | argv | semmle.label | argv | -| argvLocal.c:126:10:126:16 | access to array | semmle.label | access to array | -| argvLocal.c:126:10:126:19 | access to array | semmle.label | access to array | -| argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:127:9:127:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:128:15:128:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:128:15:128:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | -| argvLocal.c:128:15:128:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | -| argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion | -| argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion | | argvLocal.c:128:15:128:16 | printWrapper output argument | semmle.label | printWrapper output argument | -| argvLocal.c:128:15:128:16 | printWrapper output argument | semmle.label | printWrapper output argument | -| argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:131:9:131:14 | Argument 0 indirection | semmle.label | Argument 0 indirection | -| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... | -| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... | -| argvLocal.c:132:15:132:20 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:132:15:132:20 | Argument 0 indirection | semmle.label | Argument 0 indirection | -| argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:135:9:135:12 | Argument 0 indirection | semmle.label | Argument 0 indirection | -| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... | -| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... | -| argvLocal.c:136:15:136:18 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:136:15:136:18 | Argument 0 indirection | semmle.label | Argument 0 indirection | -| argvLocal.c:139:9:139:12 | argv | semmle.label | argv | -| argvLocal.c:139:9:139:12 | argv | semmle.label | argv | -| argvLocal.c:139:9:139:15 | access to array | semmle.label | access to array | -| argvLocal.c:140:15:140:18 | argv | semmle.label | argv | -| argvLocal.c:140:15:140:18 | argv | semmle.label | argv | -| argvLocal.c:140:15:140:21 | access to array | semmle.label | access to array | -| argvLocal.c:143:13:143:26 | Store | semmle.label | Store | -| argvLocal.c:143:14:143:17 | argv | semmle.label | argv | -| argvLocal.c:143:14:143:17 | argv | semmle.label | argv | -| argvLocal.c:143:14:143:20 | access to array | semmle.label | access to array | -| argvLocal.c:143:14:143:25 | ... , ... | semmle.label | ... , ... | -| argvLocal.c:143:24:143:25 | i1 | semmle.label | i1 | -| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 | -| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 | -| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 | -| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 | | argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 | -| argvLocal.c:149:2:149:17 | Store | semmle.label | Store | | argvLocal.c:149:11:149:14 | argv | semmle.label | argv | -| argvLocal.c:149:11:149:14 | argv | semmle.label | argv | -| argvLocal.c:149:11:149:14 | argv | semmle.label | argv | -| argvLocal.c:149:11:149:17 | access to array | semmle.label | access to array | -| argvLocal.c:150:9:150:10 | (const char *)... | semmle.label | (const char *)... | -| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 | | argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 | | argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 | -| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 | -| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 | -| argvLocal.c:156:2:156:7 | call to memcpy | semmle.label | call to memcpy | | argvLocal.c:156:23:156:26 | argv | semmle.label | argv | -| argvLocal.c:156:23:156:26 | argv | semmle.label | argv | -| argvLocal.c:156:23:156:26 | argv | semmle.label | argv | -| argvLocal.c:156:23:156:29 | (const void *)... | semmle.label | (const void *)... | -| argvLocal.c:156:23:156:29 | access to array | semmle.label | access to array | -| argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:157:9:157:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:158:15:158:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | -| argvLocal.c:158:15:158:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | -| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 | -| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 | -| argvLocal.c:163:2:163:7 | call to memcpy | semmle.label | call to memcpy | -| argvLocal.c:163:22:163:25 | argv | semmle.label | argv | -| argvLocal.c:163:22:163:25 | argv | semmle.label | argv | | argvLocal.c:163:22:163:25 | argv | semmle.label | argv | -| argvLocal.c:163:22:163:28 | access to array | semmle.label | access to array | -| argvLocal.c:163:22:163:32 | (const void *)... | semmle.label | (const void *)... | -| argvLocal.c:163:22:163:32 | ... + ... | semmle.label | ... + ... | -| argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:164:9:164:11 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:165:15:165:17 | Argument 0 indirection | semmle.label | Argument 0 indirection | -| argvLocal.c:165:15:165:17 | Argument 0 indirection | semmle.label | Argument 0 indirection | -| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 | -| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 | -| argvLocal.c:168:12:168:24 | (int)... | semmle.label | (int)... | -| argvLocal.c:168:12:168:24 | Store | semmle.label | Store | -| argvLocal.c:168:18:168:21 | argv | semmle.label | argv | -| argvLocal.c:168:18:168:21 | argv | semmle.label | argv | | argvLocal.c:168:18:168:21 | argv | semmle.label | argv | -| argvLocal.c:168:18:168:24 | access to array | semmle.label | access to array | -| argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... | -| argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 | -| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 | -| argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... | -| argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... | -| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 | | argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 | #select -| argvLocal.c:95:9:95:15 | access to array | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:95:9:95:12 | argv | a command line argument | -| argvLocal.c:96:15:96:21 | access to array | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:96:15:96:18 | argv | a command line argument | -| argvLocal.c:101:9:101:10 | i1 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | a command line argument | -| argvLocal.c:102:15:102:16 | i1 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | a command line argument | -| argvLocal.c:106:9:106:13 | access to array | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | a command line argument | -| argvLocal.c:107:15:107:19 | access to array | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | a command line argument | -| argvLocal.c:110:9:110:11 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | a command line argument | -| argvLocal.c:111:15:111:17 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | a command line argument | -| argvLocal.c:116:9:116:10 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | a command line argument | -| argvLocal.c:117:15:117:16 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | a command line argument | -| argvLocal.c:121:9:121:10 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | a command line argument | -| argvLocal.c:122:15:122:16 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | a command line argument | -| argvLocal.c:127:9:127:10 | Argument 0 indirection | argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | a command line argument | -| argvLocal.c:128:15:128:16 | Argument 0 indirection | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | a command line argument | -| argvLocal.c:131:9:131:14 | Argument 0 indirection | argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | a command line argument | -| argvLocal.c:132:15:132:20 | Argument 0 indirection | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | a command line argument | -| argvLocal.c:135:9:135:12 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | a command line argument | -| argvLocal.c:136:15:136:18 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | a command line argument | -| argvLocal.c:144:9:144:10 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | a command line argument | -| argvLocal.c:145:15:145:16 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | a command line argument | -| argvLocal.c:150:9:150:10 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:149:11:149:14 | argv | a command line argument | -| argvLocal.c:151:15:151:16 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:149:11:149:14 | argv | a command line argument | -| argvLocal.c:157:9:157:10 | Argument 0 indirection | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:156:23:156:26 | argv | a command line argument | -| argvLocal.c:158:15:158:16 | Argument 0 indirection | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:156:23:156:26 | argv | a command line argument | -| argvLocal.c:164:9:164:11 | Argument 0 indirection | argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:163:22:163:25 | argv | a command line argument | -| argvLocal.c:165:15:165:17 | Argument 0 indirection | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:163:22:163:25 | argv | a command line argument | -| argvLocal.c:169:18:169:20 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:168:18:168:21 | argv | a command line argument | -| argvLocal.c:170:24:170:26 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:168:18:168:21 | argv | a command line argument | +| argvLocal.c:95:9:95:15 | access to array | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:95:9:95:12 | argv | a command-line argument | +| argvLocal.c:96:15:96:21 | access to array | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:96:15:96:18 | argv | a command-line argument | +| argvLocal.c:101:9:101:10 | i1 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | a command-line argument | +| argvLocal.c:102:15:102:16 | i1 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | a command-line argument | +| argvLocal.c:106:9:106:13 | access to array | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | a command-line argument | +| argvLocal.c:107:15:107:19 | access to array | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | a command-line argument | +| argvLocal.c:110:9:110:11 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | a command-line argument | +| argvLocal.c:111:15:111:17 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | a command-line argument | +| argvLocal.c:116:9:116:10 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | a command-line argument | +| argvLocal.c:117:15:117:16 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | a command-line argument | +| argvLocal.c:121:9:121:10 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | a command-line argument | +| argvLocal.c:122:15:122:16 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | a command-line argument | +| argvLocal.c:127:9:127:10 | Argument 0 indirection | argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | a command-line argument | +| argvLocal.c:128:15:128:16 | Argument 0 indirection | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | a command-line argument | +| argvLocal.c:131:9:131:14 | Argument 0 indirection | argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | a command-line argument | +| argvLocal.c:132:15:132:20 | Argument 0 indirection | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | a command-line argument | +| argvLocal.c:135:9:135:12 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | a command-line argument | +| argvLocal.c:136:15:136:18 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | a command-line argument | +| argvLocal.c:144:9:144:10 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | a command-line argument | +| argvLocal.c:145:15:145:16 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | a command-line argument | +| argvLocal.c:150:9:150:10 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:149:11:149:14 | argv | a command-line argument | +| argvLocal.c:151:15:151:16 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:149:11:149:14 | argv | a command-line argument | +| argvLocal.c:157:9:157:10 | Argument 0 indirection | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:156:23:156:26 | argv | a command-line argument | +| argvLocal.c:158:15:158:16 | Argument 0 indirection | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:156:23:156:26 | argv | a command-line argument | +| argvLocal.c:164:9:164:11 | Argument 0 indirection | argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:163:22:163:25 | argv | a command-line argument | +| argvLocal.c:165:15:165:17 | Argument 0 indirection | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:163:22:163:25 | argv | a command-line argument | +| argvLocal.c:169:18:169:20 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:168:18:168:21 | argv | a command-line argument | +| argvLocal.c:170:24:170:26 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:168:18:168:21 | argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected index 6bfc87e72dce..5383bacf5e40 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected @@ -1,78 +1,21 @@ edges -| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | (const char *)... | | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | Argument 0 indirection | -| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:57:10:57:14 | access to array | -| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | (const char *)... | | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | Argument 0 indirection | -| funcsLocal.c:21:8:21:9 | fread output argument | funcsLocal.c:22:15:22:16 | array to pointer conversion | -| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | (const char *)... | | funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | Argument 0 indirection | -| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:31:13:31:17 | Store | -| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | (const char *)... | -| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 | -| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | (const char *)... | | funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | Argument 0 indirection | -| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | (const char *)... | | funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | Argument 0 indirection | -| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:41:13:41:16 | Store | -| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | (const char *)... | -| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 | -| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | (const char *)... | | funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | Argument 0 indirection | nodes -| funcsLocal.c:16:8:16:9 | (void *)... | semmle.label | (void *)... | -| funcsLocal.c:16:8:16:9 | array to pointer conversion | semmle.label | array to pointer conversion | | funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument | -| funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument | -| funcsLocal.c:16:8:16:9 | i1 | semmle.label | i1 | -| funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... | | funcsLocal.c:17:9:17:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | -| funcsLocal.c:21:8:21:9 | (void *)... | semmle.label | (void *)... | -| funcsLocal.c:21:8:21:9 | array to pointer conversion | semmle.label | array to pointer conversion | -| funcsLocal.c:21:8:21:9 | fread output argument | semmle.label | fread output argument | -| funcsLocal.c:21:8:21:9 | i2 | semmle.label | i2 | -| funcsLocal.c:22:15:22:16 | array to pointer conversion | semmle.label | array to pointer conversion | -| funcsLocal.c:26:2:26:6 | call to fgets | semmle.label | call to fgets | -| funcsLocal.c:26:8:26:9 | array to pointer conversion | semmle.label | array to pointer conversion | -| funcsLocal.c:26:8:26:9 | fgets output argument | semmle.label | fgets output argument | | funcsLocal.c:26:8:26:9 | fgets output argument | semmle.label | fgets output argument | -| funcsLocal.c:26:8:26:9 | i3 | semmle.label | i3 | -| funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... | | funcsLocal.c:27:9:27:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | -| funcsLocal.c:31:13:31:17 | Store | semmle.label | Store | -| funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets | -| funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets | -| funcsLocal.c:31:19:31:21 | array to pointer conversion | semmle.label | array to pointer conversion | -| funcsLocal.c:31:19:31:21 | fgets output argument | semmle.label | fgets output argument | | funcsLocal.c:31:19:31:21 | fgets output argument | semmle.label | fgets output argument | -| funcsLocal.c:31:19:31:21 | i41 | semmle.label | i41 | -| funcsLocal.c:32:9:32:10 | (const char *)... | semmle.label | (const char *)... | | funcsLocal.c:32:9:32:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | -| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 | -| funcsLocal.c:36:2:36:5 | call to gets | semmle.label | call to gets | -| funcsLocal.c:36:7:36:8 | array to pointer conversion | semmle.label | array to pointer conversion | | funcsLocal.c:36:7:36:8 | gets output argument | semmle.label | gets output argument | -| funcsLocal.c:36:7:36:8 | gets output argument | semmle.label | gets output argument | -| funcsLocal.c:36:7:36:8 | i5 | semmle.label | i5 | -| funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... | | funcsLocal.c:37:9:37:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | -| funcsLocal.c:41:13:41:16 | Store | semmle.label | Store | -| funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets | -| funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets | -| funcsLocal.c:41:18:41:20 | array to pointer conversion | semmle.label | array to pointer conversion | -| funcsLocal.c:41:18:41:20 | gets output argument | semmle.label | gets output argument | | funcsLocal.c:41:18:41:20 | gets output argument | semmle.label | gets output argument | -| funcsLocal.c:41:18:41:20 | i61 | semmle.label | i61 | -| funcsLocal.c:42:9:42:10 | (const char *)... | semmle.label | (const char *)... | | funcsLocal.c:42:9:42:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | -| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 | -| funcsLocal.c:46:2:46:5 | call to gets | semmle.label | call to gets | -| funcsLocal.c:46:7:46:9 | * ... | semmle.label | * ... | -| funcsLocal.c:52:8:52:11 | call to gets | semmle.label | call to gets | -| funcsLocal.c:52:13:52:15 | array to pointer conversion | semmle.label | array to pointer conversion | -| funcsLocal.c:52:13:52:15 | i81 | semmle.label | i81 | -| funcsLocal.c:57:10:57:14 | access to array | semmle.label | access to array | -| funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... | | funcsLocal.c:58:9:58:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | #select | funcsLocal.c:17:9:17:10 | Argument 0 indirection | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | fread output argument | String read by fread | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected index 174459167d15..58e3dda09647 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected @@ -1,30 +1,3 @@ edges -| globalVars.c:8:7:8:10 | copy | globalVars.c:35:11:35:14 | copy | -| globalVars.c:11:22:11:25 | argv | globalVars.c:12:2:12:15 | Store | -| globalVars.c:11:22:11:25 | argv | globalVars.c:12:9:12:12 | argv | -| globalVars.c:11:22:11:25 | argv | globalVars.c:12:9:12:15 | access to array | -| globalVars.c:12:2:12:15 | Store | globalVars.c:8:7:8:10 | copy | -| globalVars.c:12:2:12:15 | Store | globalVars.c:8:7:8:10 | copy | -| globalVars.c:15:21:15:23 | val | globalVars.c:16:2:16:12 | Store | -| globalVars.c:16:2:16:12 | Store | globalVars.c:9:7:9:11 | copy2 | -| globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv | -| globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv | -| globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv | -| globalVars.c:35:11:35:14 | copy | globalVars.c:15:21:15:23 | val | nodes -| globalVars.c:8:7:8:10 | copy | semmle.label | copy | -| globalVars.c:8:7:8:10 | copy | semmle.label | copy | -| globalVars.c:9:7:9:11 | copy2 | semmle.label | copy2 | -| globalVars.c:11:22:11:25 | argv | semmle.label | argv | -| globalVars.c:11:22:11:25 | argv | semmle.label | argv | -| globalVars.c:11:22:11:25 | argv | semmle.label | argv | -| globalVars.c:12:2:12:15 | Store | semmle.label | Store | -| globalVars.c:12:9:12:12 | argv | semmle.label | argv | -| globalVars.c:12:9:12:15 | access to array | semmle.label | access to array | -| globalVars.c:15:21:15:23 | val | semmle.label | val | -| globalVars.c:16:2:16:12 | Store | semmle.label | Store | -| globalVars.c:24:11:24:14 | argv | semmle.label | argv | -| globalVars.c:24:11:24:14 | argv | semmle.label | argv | -| globalVars.c:24:11:24:14 | argv | semmle.label | argv | -| globalVars.c:35:11:35:14 | copy | semmle.label | copy | #select diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected index a04dc0d07032..d416c8dda8d9 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected @@ -1,157 +1,47 @@ edges -| ifs.c:61:8:61:11 | argv | ifs.c:61:8:61:14 | access to array | -| ifs.c:61:8:61:11 | argv | ifs.c:62:2:62:7 | Phi | -| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | (const char *)... | | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | -| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | -| ifs.c:68:8:68:11 | argv | ifs.c:68:8:68:14 | access to array | -| ifs.c:68:8:68:11 | argv | ifs.c:69:2:69:7 | Phi | -| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... | -| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | -| ifs.c:74:8:74:11 | argv | ifs.c:74:3:74:14 | Store | -| ifs.c:74:8:74:11 | argv | ifs.c:74:8:74:14 | access to array | -| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... | -| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 | | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 | -| ifs.c:80:8:80:11 | argv | ifs.c:80:3:80:14 | Store | -| ifs.c:80:8:80:11 | argv | ifs.c:80:8:80:14 | access to array | -| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... | | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 | -| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 | -| ifs.c:86:8:86:11 | argv | ifs.c:86:3:86:14 | Store | -| ifs.c:86:8:86:11 | argv | ifs.c:86:8:86:14 | access to array | -| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... | -| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 | | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 | -| ifs.c:92:8:92:11 | argv | ifs.c:92:3:92:14 | Store | -| ifs.c:92:8:92:11 | argv | ifs.c:92:8:92:14 | access to array | -| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... | -| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 | | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 | -| ifs.c:98:8:98:11 | argv | ifs.c:98:3:98:14 | Store | -| ifs.c:98:8:98:11 | argv | ifs.c:98:8:98:14 | access to array | -| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... | | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 | -| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 | -| ifs.c:105:8:105:11 | argv | ifs.c:105:3:105:14 | Store | -| ifs.c:105:8:105:11 | argv | ifs.c:105:8:105:14 | access to array | -| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... | -| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 | | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 | -| ifs.c:111:8:111:11 | argv | ifs.c:111:8:111:14 | access to array | -| ifs.c:111:8:111:11 | argv | ifs.c:112:2:112:7 | Phi | -| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... | -| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 | | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 | -| ifs.c:117:8:117:11 | argv | ifs.c:117:8:117:14 | access to array | -| ifs.c:117:8:117:11 | argv | ifs.c:118:2:118:7 | Phi | -| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... | | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 | -| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 | -| ifs.c:123:8:123:11 | argv | ifs.c:123:8:123:14 | access to array | -| ifs.c:123:8:123:11 | argv | ifs.c:124:2:124:7 | Phi | -| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... | -| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 | | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 | nodes | ifs.c:61:8:61:11 | argv | semmle.label | argv | -| ifs.c:61:8:61:11 | argv | semmle.label | argv | -| ifs.c:61:8:61:11 | argv | semmle.label | argv | -| ifs.c:61:8:61:14 | access to array | semmle.label | access to array | -| ifs.c:62:2:62:7 | Phi | semmle.label | Phi | -| ifs.c:62:9:62:10 | (const char *)... | semmle.label | (const char *)... | -| ifs.c:62:9:62:10 | c7 | semmle.label | c7 | | ifs.c:62:9:62:10 | c7 | semmle.label | c7 | | ifs.c:68:8:68:11 | argv | semmle.label | argv | -| ifs.c:68:8:68:11 | argv | semmle.label | argv | -| ifs.c:68:8:68:11 | argv | semmle.label | argv | -| ifs.c:68:8:68:14 | access to array | semmle.label | access to array | -| ifs.c:69:2:69:7 | Phi | semmle.label | Phi | -| ifs.c:69:9:69:10 | (const char *)... | semmle.label | (const char *)... | -| ifs.c:69:9:69:10 | c8 | semmle.label | c8 | | ifs.c:69:9:69:10 | c8 | semmle.label | c8 | -| ifs.c:74:3:74:14 | Store | semmle.label | Store | | ifs.c:74:8:74:11 | argv | semmle.label | argv | -| ifs.c:74:8:74:11 | argv | semmle.label | argv | -| ifs.c:74:8:74:11 | argv | semmle.label | argv | -| ifs.c:74:8:74:14 | access to array | semmle.label | access to array | -| ifs.c:75:9:75:10 | (const char *)... | semmle.label | (const char *)... | -| ifs.c:75:9:75:10 | i1 | semmle.label | i1 | | ifs.c:75:9:75:10 | i1 | semmle.label | i1 | -| ifs.c:80:3:80:14 | Store | semmle.label | Store | -| ifs.c:80:8:80:11 | argv | semmle.label | argv | -| ifs.c:80:8:80:11 | argv | semmle.label | argv | | ifs.c:80:8:80:11 | argv | semmle.label | argv | -| ifs.c:80:8:80:14 | access to array | semmle.label | access to array | -| ifs.c:81:9:81:10 | (const char *)... | semmle.label | (const char *)... | | ifs.c:81:9:81:10 | i2 | semmle.label | i2 | -| ifs.c:81:9:81:10 | i2 | semmle.label | i2 | -| ifs.c:86:3:86:14 | Store | semmle.label | Store | -| ifs.c:86:8:86:11 | argv | semmle.label | argv | -| ifs.c:86:8:86:11 | argv | semmle.label | argv | | ifs.c:86:8:86:11 | argv | semmle.label | argv | -| ifs.c:86:8:86:14 | access to array | semmle.label | access to array | -| ifs.c:87:9:87:10 | (const char *)... | semmle.label | (const char *)... | | ifs.c:87:9:87:10 | i3 | semmle.label | i3 | -| ifs.c:87:9:87:10 | i3 | semmle.label | i3 | -| ifs.c:92:3:92:14 | Store | semmle.label | Store | -| ifs.c:92:8:92:11 | argv | semmle.label | argv | -| ifs.c:92:8:92:11 | argv | semmle.label | argv | | ifs.c:92:8:92:11 | argv | semmle.label | argv | -| ifs.c:92:8:92:14 | access to array | semmle.label | access to array | -| ifs.c:93:9:93:10 | (const char *)... | semmle.label | (const char *)... | | ifs.c:93:9:93:10 | i4 | semmle.label | i4 | -| ifs.c:93:9:93:10 | i4 | semmle.label | i4 | -| ifs.c:98:3:98:14 | Store | semmle.label | Store | -| ifs.c:98:8:98:11 | argv | semmle.label | argv | -| ifs.c:98:8:98:11 | argv | semmle.label | argv | | ifs.c:98:8:98:11 | argv | semmle.label | argv | -| ifs.c:98:8:98:14 | access to array | semmle.label | access to array | -| ifs.c:99:9:99:10 | (const char *)... | semmle.label | (const char *)... | | ifs.c:99:9:99:10 | i5 | semmle.label | i5 | -| ifs.c:99:9:99:10 | i5 | semmle.label | i5 | -| ifs.c:105:3:105:14 | Store | semmle.label | Store | -| ifs.c:105:8:105:11 | argv | semmle.label | argv | | ifs.c:105:8:105:11 | argv | semmle.label | argv | -| ifs.c:105:8:105:11 | argv | semmle.label | argv | -| ifs.c:105:8:105:14 | access to array | semmle.label | access to array | -| ifs.c:106:9:106:10 | (const char *)... | semmle.label | (const char *)... | -| ifs.c:106:9:106:10 | i6 | semmle.label | i6 | | ifs.c:106:9:106:10 | i6 | semmle.label | i6 | | ifs.c:111:8:111:11 | argv | semmle.label | argv | -| ifs.c:111:8:111:11 | argv | semmle.label | argv | -| ifs.c:111:8:111:11 | argv | semmle.label | argv | -| ifs.c:111:8:111:14 | access to array | semmle.label | access to array | -| ifs.c:112:2:112:7 | Phi | semmle.label | Phi | -| ifs.c:112:9:112:10 | (const char *)... | semmle.label | (const char *)... | -| ifs.c:112:9:112:10 | i7 | semmle.label | i7 | | ifs.c:112:9:112:10 | i7 | semmle.label | i7 | | ifs.c:117:8:117:11 | argv | semmle.label | argv | -| ifs.c:117:8:117:11 | argv | semmle.label | argv | -| ifs.c:117:8:117:11 | argv | semmle.label | argv | -| ifs.c:117:8:117:14 | access to array | semmle.label | access to array | -| ifs.c:118:2:118:7 | Phi | semmle.label | Phi | -| ifs.c:118:9:118:10 | (const char *)... | semmle.label | (const char *)... | -| ifs.c:118:9:118:10 | i8 | semmle.label | i8 | | ifs.c:118:9:118:10 | i8 | semmle.label | i8 | | ifs.c:123:8:123:11 | argv | semmle.label | argv | -| ifs.c:123:8:123:11 | argv | semmle.label | argv | -| ifs.c:123:8:123:11 | argv | semmle.label | argv | -| ifs.c:123:8:123:14 | access to array | semmle.label | access to array | -| ifs.c:124:2:124:7 | Phi | semmle.label | Phi | -| ifs.c:124:9:124:10 | (const char *)... | semmle.label | (const char *)... | -| ifs.c:124:9:124:10 | i9 | semmle.label | i9 | | ifs.c:124:9:124:10 | i9 | semmle.label | i9 | #select -| ifs.c:62:9:62:10 | c7 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:61:8:61:11 | argv | a command line argument | -| ifs.c:69:9:69:10 | c8 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:68:8:68:11 | argv | a command line argument | -| ifs.c:75:9:75:10 | i1 | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:74:8:74:11 | argv | a command line argument | -| ifs.c:81:9:81:10 | i2 | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:80:8:80:11 | argv | a command line argument | -| ifs.c:87:9:87:10 | i3 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:86:8:86:11 | argv | a command line argument | -| ifs.c:93:9:93:10 | i4 | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:92:8:92:11 | argv | a command line argument | -| ifs.c:99:9:99:10 | i5 | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:98:8:98:11 | argv | a command line argument | -| ifs.c:106:9:106:10 | i6 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:105:8:105:11 | argv | a command line argument | -| ifs.c:112:9:112:10 | i7 | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:111:8:111:11 | argv | a command line argument | -| ifs.c:118:9:118:10 | i8 | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:117:8:117:11 | argv | a command line argument | -| ifs.c:124:9:124:10 | i9 | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:123:8:123:11 | argv | a command line argument | +| ifs.c:62:9:62:10 | c7 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:61:8:61:11 | argv | a command-line argument | +| ifs.c:69:9:69:10 | c8 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:68:8:68:11 | argv | a command-line argument | +| ifs.c:75:9:75:10 | i1 | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:74:8:74:11 | argv | a command-line argument | +| ifs.c:81:9:81:10 | i2 | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:80:8:80:11 | argv | a command-line argument | +| ifs.c:87:9:87:10 | i3 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:86:8:86:11 | argv | a command-line argument | +| ifs.c:93:9:93:10 | i4 | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:92:8:92:11 | argv | a command-line argument | +| ifs.c:99:9:99:10 | i5 | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:98:8:98:11 | argv | a command-line argument | +| ifs.c:106:9:106:10 | i6 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:105:8:105:11 | argv | a command-line argument | +| ifs.c:112:9:112:10 | i7 | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:111:8:111:11 | argv | a command-line argument | +| ifs.c:118:9:118:10 | i8 | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:117:8:117:11 | argv | a command-line argument | +| ifs.c:124:9:124:10 | i9 | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:123:8:123:11 | argv | a command-line argument | From 8387105d8d272f78b719c96fff444bd7f7e64995 Mon Sep 17 00:00:00 2001 From: Robert Marsh Date: Wed, 12 Aug 2020 16:22:51 -0700 Subject: [PATCH 09/15] C++: add model for POSIX read --- cpp/ql/src/semmle/code/cpp/models/Models.qll | 1 + .../code/cpp/models/implementations/Read.qll | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 cpp/ql/src/semmle/code/cpp/models/implementations/Read.qll diff --git a/cpp/ql/src/semmle/code/cpp/models/Models.qll b/cpp/ql/src/semmle/code/cpp/models/Models.qll index c18ae65f6493..9d8fddfab91f 100644 --- a/cpp/ql/src/semmle/code/cpp/models/Models.qll +++ b/cpp/ql/src/semmle/code/cpp/models/Models.qll @@ -10,6 +10,7 @@ private import implementations.Memcpy private import implementations.Memset private import implementations.Printf private import implementations.Pure +private import implementations.Read private import implementations.Strcat private import implementations.Strcpy private import implementations.Strdup diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Read.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Read.qll new file mode 100644 index 000000000000..9e26d60d5add --- /dev/null +++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Read.qll @@ -0,0 +1,17 @@ +import semmle.code.cpp.models.interfaces.Alias +import semmle.code.cpp.models.interfaces.FlowSource + +class Read extends AliasFunction, RemoteFlowFunction { + Read() { this.hasGlobalName(["read", "pread"]) } + + override predicate parameterNeverEscapes(int n) { n = 0 } + + override predicate parameterEscapesOnlyViaReturn(int n) { none() } + + override predicate parameterIsAlwaysReturned(int n) { none() } + + override predicate hasRemoteFlowSource(FunctionOutput output, string description) { + output.isParameterDeref(1) and + description = "String read by " + this.getName() + } +} From 7d5282ac622a4e1ad5c941f8839627b8e6992bc6 Mon Sep 17 00:00:00 2001 From: Robert Marsh Date: Thu, 13 Aug 2020 09:43:40 -0700 Subject: [PATCH 10/15] C++: autoformat --- cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql index 910f30eaad7b..8841c5171ea7 100644 --- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql +++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql @@ -21,9 +21,7 @@ import semmle.code.cpp.security.FlowSources class UncontrolledFormatStringConfiguration extends TaintTracking::Configuration { UncontrolledFormatStringConfiguration() { this = "UncontrolledFormatStringConfiguration" } - override predicate isSource(DataFlow::Node node) { - node instanceof FlowSource - } + override predicate isSource(DataFlow::Node node) { node instanceof FlowSource } override predicate isSink(DataFlow::Node node) { exists(PrintfLikeFunction printf | From 7a51ef292517366058ae3ad325b36bd01d7f2f66 Mon Sep 17 00:00:00 2001 From: Robert Marsh Date: Thu, 13 Aug 2020 10:05:26 -0700 Subject: [PATCH 11/15] C++: Accept test changes from improved model flow Changes result from ad4a753 --- .../test/library-tests/dataflow/taint-tests/test_diff.expected | 1 - cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected index be3b27ea69d1..713482490bf8 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected @@ -77,7 +77,6 @@ | taint.cpp:130:7:130:9 | taint.cpp:127:8:127:13 | IR only | | taint.cpp:137:7:137:9 | taint.cpp:120:11:120:16 | AST only | | taint.cpp:173:8:173:13 | taint.cpp:164:19:164:24 | AST only | -| taint.cpp:195:7:195:7 | taint.cpp:192:23:192:28 | AST only | | taint.cpp:195:7:195:7 | taint.cpp:193:6:193:6 | AST only | | taint.cpp:236:3:236:6 | taint.cpp:223:10:223:15 | AST only | | taint.cpp:261:7:261:7 | taint.cpp:258:7:258:12 | AST only | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected index 62debb5d11f0..fe3280eb48ae 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected @@ -59,6 +59,7 @@ | taint.cpp:167:8:167:13 | call to source | taint.cpp:167:8:167:13 | call to source | | taint.cpp:168:8:168:14 | tainted | taint.cpp:164:19:164:24 | call to source | | taint.cpp:181:8:181:9 | * ... | taint.cpp:185:11:185:16 | call to source | +| taint.cpp:195:7:195:7 | x | taint.cpp:192:23:192:28 | source | | taint.cpp:210:7:210:7 | x | taint.cpp:207:6:207:11 | call to source | | taint.cpp:215:7:215:7 | x | taint.cpp:207:6:207:11 | call to source | | taint.cpp:216:7:216:7 | y | taint.cpp:207:6:207:11 | call to source | From 7e262632b4fa4803eea1ff85065a689c8023104f Mon Sep 17 00:00:00 2001 From: Robert Marsh Date: Tue, 27 Oct 2020 15:55:50 -0700 Subject: [PATCH 12/15] C++: fix argument indirection nodes --- .../cpp/ir/dataflow/internal/DataFlowUtil.qll | 9 ++- .../CWE-134/semmle/argv/argvLocal.expected | 61 +++++++++++++++++++ .../CWE-134/semmle/funcs/funcsLocal.expected | 23 +++++++ 3 files changed, 91 insertions(+), 2 deletions(-) diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll index 88b18c1ec46a..f218d569074b 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll @@ -513,8 +513,13 @@ class DefinitionByReferenceNode extends InstructionNode { /** * A node representing the memory pointed to by a function argument. */ -class ArgumentIndirectionNode extends InstructionNode { - override ReadSideEffectInstruction instr; +class ArgumentIndirectionNode extends OperandNode { + override SideEffectOperand op; + ReadSideEffectInstruction instr; + + ArgumentIndirectionNode() { + op.getUse() = instr + } Expr getArgument() { result = instr.getArgumentDef().getUnconvertedResultExpression() } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected index c5717c56ae9c..2b6606b4ec49 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected @@ -9,8 +9,34 @@ edges | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | Argument 0 indirection | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | Argument 0 indirection | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | printWrapper output argument | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | Argument 0 indirection | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | Argument 0 indirection | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | printWrapper output argument | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | Argument 0 indirection | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | Argument 0 indirection | +| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | Argument 0 indirection | +| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | Argument 0 indirection | +| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | printWrapper output argument | +| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | Argument 0 indirection | +| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | Argument 0 indirection | +| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | Argument 0 indirection | +| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | Argument 0 indirection | +| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | Argument 0 indirection | +| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | Argument 0 indirection | +| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | printWrapper output argument | +| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | Argument 0 indirection | +| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | Argument 0 indirection | +| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | Argument 0 indirection | +| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | Argument 0 indirection | | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | +| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | Argument 0 indirection | +| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | Argument 0 indirection | +| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | Argument 0 indirection | +| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | Argument 0 indirection | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | nodes @@ -26,11 +52,32 @@ nodes | argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array | | argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... | | argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... | +| argvLocal.c:115:13:115:16 | argv | semmle.label | argv | +| argvLocal.c:116:9:116:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:117:15:117:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:117:15:117:16 | printWrapper output argument | semmle.label | printWrapper output argument | +| argvLocal.c:121:9:121:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:122:15:122:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:122:15:122:16 | printWrapper output argument | semmle.label | printWrapper output argument | +| argvLocal.c:126:10:126:13 | argv | semmle.label | argv | +| argvLocal.c:127:9:127:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:128:15:128:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:128:15:128:16 | printWrapper output argument | semmle.label | printWrapper output argument | +| argvLocal.c:131:9:131:14 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:132:15:132:20 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:135:9:135:12 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:136:15:136:18 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 | | argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 | | argvLocal.c:149:11:149:14 | argv | semmle.label | argv | | argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 | | argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 | +| argvLocal.c:156:23:156:26 | argv | semmle.label | argv | +| argvLocal.c:157:9:157:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:158:15:158:16 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:163:22:163:25 | argv | semmle.label | argv | +| argvLocal.c:164:9:164:11 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| argvLocal.c:165:15:165:17 | Argument 0 indirection | semmle.label | Argument 0 indirection | | argvLocal.c:168:18:168:21 | argv | semmle.label | argv | | argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 | | argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 | @@ -43,9 +90,23 @@ nodes | argvLocal.c:107:15:107:19 | access to array | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | a command-line argument | | argvLocal.c:110:9:110:11 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | a command-line argument | | argvLocal.c:111:15:111:17 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | a command-line argument | +| argvLocal.c:116:9:116:10 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | a command-line argument | +| argvLocal.c:117:15:117:16 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | a command-line argument | +| argvLocal.c:121:9:121:10 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | a command-line argument | +| argvLocal.c:122:15:122:16 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | a command-line argument | +| argvLocal.c:127:9:127:10 | Argument 0 indirection | argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | a command-line argument | +| argvLocal.c:128:15:128:16 | Argument 0 indirection | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | a command-line argument | +| argvLocal.c:131:9:131:14 | Argument 0 indirection | argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | a command-line argument | +| argvLocal.c:132:15:132:20 | Argument 0 indirection | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | a command-line argument | +| argvLocal.c:135:9:135:12 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | a command-line argument | +| argvLocal.c:136:15:136:18 | Argument 0 indirection | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | a command-line argument | | argvLocal.c:144:9:144:10 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | a command-line argument | | argvLocal.c:145:15:145:16 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | a command-line argument | | argvLocal.c:150:9:150:10 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:149:11:149:14 | argv | a command-line argument | | argvLocal.c:151:15:151:16 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:149:11:149:14 | argv | a command-line argument | +| argvLocal.c:157:9:157:10 | Argument 0 indirection | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:156:23:156:26 | argv | a command-line argument | +| argvLocal.c:158:15:158:16 | Argument 0 indirection | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:156:23:156:26 | argv | a command-line argument | +| argvLocal.c:164:9:164:11 | Argument 0 indirection | argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:163:22:163:25 | argv | a command-line argument | +| argvLocal.c:165:15:165:17 | Argument 0 indirection | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:163:22:163:25 | argv | a command-line argument | | argvLocal.c:169:18:169:20 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:168:18:168:21 | argv | a command-line argument | | argvLocal.c:170:24:170:26 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:168:18:168:21 | argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected index 58e3dda09647..5383bacf5e40 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected @@ -1,3 +1,26 @@ edges +| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | Argument 0 indirection | +| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | Argument 0 indirection | +| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | Argument 0 indirection | +| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | Argument 0 indirection | +| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | Argument 0 indirection | +| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | Argument 0 indirection | nodes +| funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument | +| funcsLocal.c:17:9:17:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| funcsLocal.c:26:8:26:9 | fgets output argument | semmle.label | fgets output argument | +| funcsLocal.c:27:9:27:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| funcsLocal.c:31:19:31:21 | fgets output argument | semmle.label | fgets output argument | +| funcsLocal.c:32:9:32:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| funcsLocal.c:36:7:36:8 | gets output argument | semmle.label | gets output argument | +| funcsLocal.c:37:9:37:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| funcsLocal.c:41:18:41:20 | gets output argument | semmle.label | gets output argument | +| funcsLocal.c:42:9:42:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | +| funcsLocal.c:58:9:58:10 | Argument 0 indirection | semmle.label | Argument 0 indirection | #select +| funcsLocal.c:17:9:17:10 | Argument 0 indirection | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | fread output argument | String read by fread | +| funcsLocal.c:27:9:27:10 | Argument 0 indirection | funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:26:8:26:9 | fgets output argument | String read by fgets | +| funcsLocal.c:32:9:32:10 | Argument 0 indirection | funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:19:31:21 | fgets output argument | String read by fgets | +| funcsLocal.c:37:9:37:10 | Argument 0 indirection | funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:36:7:36:8 | gets output argument | String read by gets | +| funcsLocal.c:42:9:42:10 | Argument 0 indirection | funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:18:41:20 | gets output argument | String read by gets | +| funcsLocal.c:58:9:58:10 | Argument 0 indirection | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | Argument 0 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | fread output argument | String read by fread | From 51a8a7974308cc8cf18ab04e9704035e1635caf8 Mon Sep 17 00:00:00 2001 From: Robert Marsh Date: Wed, 28 Oct 2020 16:27:00 -0700 Subject: [PATCH 13/15] C++: add qldoc for new predicate --- .../semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll index f218d569074b..88ea4edade3d 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll @@ -517,10 +517,11 @@ class ArgumentIndirectionNode extends OperandNode { override SideEffectOperand op; ReadSideEffectInstruction instr; - ArgumentIndirectionNode() { - op.getUse() = instr - } + ArgumentIndirectionNode() { op.getUse() = instr } + /** + * Gets the function argument expression which points to the memory this node represents. + */ Expr getArgument() { result = instr.getArgumentDef().getUnconvertedResultExpression() } override string toString() { result = "Argument " + instr.getIndex() + " indirection" } From 9ca62d1472b560c9d187f1ccec4a04ecc323474f Mon Sep 17 00:00:00 2001 From: Robert Marsh Date: Fri, 30 Oct 2020 15:37:22 -0700 Subject: [PATCH 14/15] C++: autoformat --- .../semmle/code/cpp/models/implementations/Getenv.qll | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Getenv.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Getenv.qll index 764a7dab5dca..9669ad6db2c0 100644 --- a/cpp/ql/src/semmle/code/cpp/models/implementations/Getenv.qll +++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Getenv.qll @@ -1,6 +1,7 @@ /** * Provides an implementation class modelling the POSIX function `getenv`. */ + import cpp import semmle.code.cpp.models.interfaces.FlowSource @@ -8,15 +9,13 @@ import semmle.code.cpp.models.interfaces.FlowSource * The POSIX function `getenv`. */ class Getenv extends LocalFlowFunction { - Getenv() { - this.hasGlobalName("getenv") - } + Getenv() { this.hasGlobalName("getenv") } - override predicate hasLocalFlowSource (FunctionOutput output, string description) { + override predicate hasLocalFlowSource(FunctionOutput output, string description) { ( output.isReturnValueDeref() or output.isReturnValue() ) and description = "an environment variable" } -} \ No newline at end of file +} From 99d2e06e34228f5053ad18abcb2174bf97d78a81 Mon Sep 17 00:00:00 2001 From: Robert Marsh Date: Mon, 2 Nov 2020 14:35:51 -0800 Subject: [PATCH 15/15] C++: autoformat --- .../code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll index 1cbddcd70ae5..0ea24dc78623 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll @@ -146,8 +146,8 @@ predicate modeledTaintStep(DataFlow::Node nodeIn, DataFlow::Node nodeOut) { // Taint flow from a pointer argument to an output, when the model specifies flow from the deref // to that output, but the deref is not modeled in the IR for the caller. exists( - CallInstruction call, ReadSideEffectInstruction read, Function func, - FunctionInput modelIn, FunctionOutput modelOut + CallInstruction call, ReadSideEffectInstruction read, Function func, FunctionInput modelIn, + FunctionOutput modelOut | read.getSideEffectOperand() = callInput(call, modelIn).asOperand() and read.getArgumentDef() = nodeIn.asInstruction() and