codeql Enhance `cpp/overflow-calculated` - detect out-of-bounds write caused by passing the buffer size in bytes (using sizeof) instead of the number of elements to wcsftime, allowing the function to overrun the allocated buffer.

Enhance `cpp/overflow-calculated` - detect out-of-bounds write caused by passing the buffer size in bytes (using sizeof) instead of the number of elements to wcsftime, allowing the function to overrun the allocated buffer.

Open felickz opened this issue 5 months ago • 0 comments

trafficstars

This pull request improves the detection of buffer overflow issues in the OverflowCalculated.ql query.

Enhanced query description: The description of the query has been updated to include scenarios involving incorrect size calculations for wide character functions, improving clarity and scope. Additionally, the precision level was set to "medium" to better reflect the query's behavior. (cpp/ql/src/Critical/OverflowCalculated.ql, cpp/ql/src/Critical/OverflowCalculated.qlL2-R5)
New predicate for wide character size issues: Added the wideCharSizeofProblem predicate to detect cases where the sizeof operator is incorrectly used with wcsftime, leading to potential buffer overflows. The predicate checks for miscalculations in the count parameter by ensuring that the size is expressed in terms of wchar_t elements rather than bytes. (cpp/ql/src/Critical/OverflowCalculated.ql, cpp/ql/src/Critical/OverflowCalculated.qlR44-R64)
Updated query logic: Modified the where clause in the query to include the new wideCharSizeofProblem predicate, enabling the detection of both traditional space problems and wide character size issues. (cpp/ql/src/Critical/OverflowCalculated.ql, cpp/ql/src/Critical/OverflowCalculated.qlR44-R64)

Jun 10 '25 20:06 felickz