github · rdmarsh2 · Mar 4, 2020 · Mar 4, 2020
diff --git a/...ry-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected b/...ry-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@@ -6,3 +6,4 @@
 | test.cpp:49:17:49:30 | new[] | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:52:21:52:27 | call to realloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
+| test.cpp:127:17:127:22 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:123:25:123:30 | call to getenv | user input (getenv) |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
@@ -105,3 +105,24 @@ void processFile()
 		fclose(f);
 	}
 }
+
+char *getenv(const char *name);
+
+#define MAX_SIZE 500
+
+int bounded(int x, int limit) {
+  int result = x;
+  if (x <= 0)
+    result = 1;
+  else if (x > limit)
+    result = limit;
+  return result;
+}
+
+void open_file_bounded () {
+	int size = size = atoi(getenv("USER"));
+	int bounded_size = bounded(size, MAX_SIZE);
+
+	int* a = (int*)malloc(bounded_size); // GOOD
+	int* b = (int*)malloc(size); // BAD
+}