Fizz demo

CodeQL_Queries/cpp/Facebook_Fizz_CVE-2019-3560/FizzOverflow.ql

@@ -22,27 +22,30 @@ class EndianConvert extends Function {
   }
 }
 
+/**
+ * Holds if `i` is an endianness conversion.
+ * (A telltale sign of network data.)
+ */
+predicate isNetworkData(Instruction i) {
+  i.(CallInstruction).getCallTarget().(FunctionInstruction).getFunctionSymbol() instanceof
+    EndianConvert
+}
+
+/** Holds if `i` is a narrowing conversion. */
+predicate isNarrowingConversion(ConvertInstruction i) {
+  i.getResultSize() < i.getUnary().getResultSize()
+}
+
 class Cfg extends TaintTracking::Configuration {
   Cfg() { this = "FizzOverflowIR" }
 
-  /** Holds if `source` is a call to `Endian::big()`. */
-  override predicate isSource(DataFlow::Node source) {
-    source
-        .asInstruction()
-        .(CallInstruction)
-        .getCallTarget()
-        .(FunctionInstruction)
-        .getFunctionSymbol() instanceof EndianConvert
-  }
+  /**
+   * Holds if `source` is network data.
+   */
+  override predicate isSource(DataFlow::Node source) { isNetworkData(source.asInstruction()) }
 
   /** Holds if `sink` is a narrowing conversion. */
-  override predicate isSink(DataFlow::Node sink) {
-    sink.asInstruction().getResultSize() < sink
-          .asInstruction()
-          .(ConvertInstruction)
-          .getUnary()
-          .getResultSize()
-  }
+  override predicate isSink(DataFlow::Node sink) { isNarrowingConversion(sink.asInstruction()) }
 }
 
 from

CodeQL_Queries/cpp/Facebook_Fizz_CVE-2019-3560/NarrowingConversions.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Narrowing conversions
+ * @description Find all narrowing conversions from a larger integer type,
+ *              such as uint32_t, to a smaller integer type, such as uint8_t.
+ * @kind problem
+ */
+
+import cpp
+import semmle.code.cpp.ir.IR
+
+/** Holds if `i` is a narrowing conversion. */
+predicate isNarrowingConversion(ConvertInstruction i) {
+  i.getResultSize() < i.getUnary().getResultSize()
+}
+
+from ConvertInstruction conv, Type inputType, Type outputType
+where
+  isNarrowingConversion(conv) and
+  inputType = conv.getUnary().getResultType() and
+  outputType = conv.getResultType()
+select conv, "Narrowing conversion from " + inputType + " to " + outputType + "."