Merge pull request #8 from Semmle/bad-overflow-steps

Bad overflow check broken into three steps

Author: kevinbackhouse

ql_demos/cpp/ChakraCore-bad-overflow-check/steps/01_overflow_checks.ql

@@ -0,0 +1,12 @@
+import cpp
+
+/** Matches `var < var + ???`. */
+predicate overflowCheck(LocalScopeVariable var, AddExpr add, RelationalOperation compare) {
+  compare.getAnOperand() = var.getAnAccess() and
+  compare.getAnOperand() = add and
+  add.getAnOperand() = var.getAnAccess()
+}
+
+from LocalScopeVariable var, AddExpr add
+where overflowCheck(var, add, _)
+select add, "Overflow check on variable of type " + var.getUnderlyingType()

ql_demos/cpp/ChakraCore-bad-overflow-check/steps/02_var_size.ql

@@ -0,0 +1,13 @@
+import cpp
+
+/** Matches `var < var + ???`. */
+predicate overflowCheck(LocalScopeVariable var, AddExpr add, RelationalOperation compare) {
+  compare.getAnOperand() = var.getAnAccess() and
+  compare.getAnOperand() = add and
+  add.getAnOperand() = var.getAnAccess()
+}
+
+from LocalScopeVariable var, AddExpr add
+where overflowCheck(var, add, _)
+  and var.getType().getSize() < 4
+select add, "Overflow check on variable of type " + var.getUnderlyingType()

ql_demos/cpp/ChakraCore-bad-overflow-check/steps/03_bad_overflow_check.ql

@@ -0,0 +1,14 @@
+import cpp
+
+/** Matches `var < var + ???`. */
+predicate overflowCheck(LocalScopeVariable var, AddExpr add, RelationalOperation compare) {
+  compare.getAnOperand() = var.getAnAccess() and
+  compare.getAnOperand() = add and
+  add.getAnOperand() = var.getAnAccess()
+}
+
+from LocalScopeVariable var, AddExpr add
+where overflowCheck(var, add, _)
+  and var.getType().getSize() < 4
+  and not add.getConversion+().getType().getSize() < 4
+select add, "Bad overflow check on variable of type " + var.getUnderlyingType()