False positive, cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql

[peternmartin]

This badly bounded write query flags the following code incorrectly:

#include <stdio.h>
#include <stdlib.h>

char* dest = "a";

int main(int argc, char* argv[])
{
  const char src[] = "Testing testing 123";
  dest = malloc(sizeof(src));
  if (dest == 0)
    return EXIT_FAILURE;

  snprintf(dest, sizeof(src), "%s", src);
  fprintf(stdout, "%s\n", dest);
  return EXIT_SUCCESS;
}

The snprintf is flagged:

|        bw        |                                             col1                                              |
+------------------+-----------------------------------------------------------------------------------------------+
| call to snprintf | This 'call to snprintf' operation is limited to 20 bytes but the destination is only 0 bytes. |
| call to snprintf | This 'call to snprintf' operation is limited to 20 bytes but the destination is only 2 bytes. |

Admittedly, the code is doing something slightly strange (that is, taking a pointer that was pointing to a string constant, and repointing it at dynamically allocated memory). However, I don't think the finding is correct.

[jketema]

Hi @peternmartin,

Thanks for your report. This indeed looks like a false positive. We're discussing internally how to best fix this.

[jketema]

We've merged a fix for this #13929, which should be part of the CodeQL 2.14.3 release, which will be released in about 2 or 3 weeks.

[jketema]

We unfortunately had to revert the fix. I'm reopening this issue. I've opened an internal issue to track this.

[jketema]

This should be fixed in CodeQL 2.16.0, which should be released sometime in January 2024.