Closed wildoranges closed 4 days ago
There are a lot of ifdefs etc. Not sure if that causes the issue. Is the line number correct if you parse that function standalone?
The LINE_NUMBER_END is correct if I parse the goodG2B
function standalone:
test.cpp
:
static void goodG2B()
{
char * data;
char * &dataRef = data;
data = (char *)malloc(100*sizeof(char));
if (data == NULL) {exit(-1);}
/* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
memset(data, 'A', 50-1); /* fill with 'A's */
data[50-1] = '\0'; /* null terminate */
{
char * data = dataRef;
{
char dest[50] = "";
/* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
SNPRINTF(dest, strlen(data), "%s", data);
printLine(data);
free(data);
}
}
}
_global_.dot
:
...
8 [label=METHOD COLUMN_NUMBER=1 LINE_NUMBER=1 COLUMN_NUMBER_END=1 IS_EXTERNAL=false SIGNATURE="void()" NAME="goodG2B" AST_PARENT_TYPE="TYPE_DECL" AST_PARENT_FULL_NAME="test.cpp:<global>" ORDER=1 CODE="static void goodG2B()
{
char * data;
char * &dataRef = data;
data = (char *)malloc(100*sizeof(char));
if (data == NULL) {exit(-1);}
/* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
memset(data, 'A', 50-1); /* fill with 'A's */
data[50-1] = '\\0'; /* null terminate */
{
char * data = dataRef;
{
char dest[50] = \"\";
/* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
SNPRINTF(dest, strlen(data), \"%s\", data);
printLine(data);
free(data);
}
}
}" FULL_NAME="goodG2B:void()" LINE_NUMBER_END=20 FILENAME="test.cpp"]
...
Are there any updates for this issue?
Could you check the latest release? https://github.com/joernio/joern/pull/4766 fixed it. It shows 77 as line number end for me now.
Thanks, this issue has been fixed in the latest release.
Describe the bug For the following c++ code:
click to show the c++ code
```c++ /* TEMPLATE GENERATED TESTCASE FILE Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_33.cpp Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml Template File: sources-sink-33.tmpl.cpp */ /* * @description * CWE: 122 Heap Based Buffer Overflow * BadSource: Initialize data as a large string * GoodSource: Initialize data as a small string * Sinks: snprintf * BadSink : Copy data to string using snprintf * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function * * */ #include "std_testcase.h" #includeJoern generates the following cpg .dot file:
click to show the cpg .dot file(part)
```dot ... 74 [label=METHOD COLUMN_NUMBER=1 LINE_NUMBER=58 COLUMN_NUMBER_END=12 IS_EXTERNAL=false SIGNATURE="void()" NAME="goodG2B" AST_PARENT_TYPE="TYPE_DECL" AST_PARENT_FULL_NAME="CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_33.cpp:For function
goodG2B
, the correctLINE_NUMBER_END
should be 77, but theLINE_NUMBER_END
in the.dot
file is 72. Is this a joern issue? Thanks.To Reproduce Steps to reproduce the behavior:
joern-parse
command for the c++ code abovejoern-export
command to export cpg .dot files_global_.dot
fileExpected behavior Joern generates correct
LINE_NUMBER_END
.Desktop (please complete the following information):