C++: Also flag up 'alloca' and friends.

MathiasVP · MathiasVP · commit 6730f57d5c21 · 2023-11-15T11:51:57.000Z
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql b/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
@@ -27,16 +27,26 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
   ReturnStackAllocatedMemoryConfig() { this = "ReturnStackAllocatedMemoryConfig" }
 
   override predicate isSource(Instruction source) {
-    // Holds if `source` is a node that represents the use of a stack variable
-    exists(VariableAddressInstruction var, Function func |
-      var = source and
-      func = source.getEnclosingFunction() and
-      var.getAstVariable() instanceof StackVariable and
-      // Pointer-to-member types aren't properly handled in the dbscheme.
-      not var.getResultType() instanceof PointerToMemberType and
+    exists(Function func |
       // Rule out FPs caused by extraction errors.
       not any(ErrorExpr e).getEnclosingFunction() = func and
-      not intentionallyReturnsStackPointer(func)
+      not intentionallyReturnsStackPointer(func) and
+      func = source.getEnclosingFunction()
+    |
+      // `source` is an instruction that represents the use of a stack variable
+      exists(VariableAddressInstruction var |
+        var = source and
+        var.getAstVariable() instanceof StackVariable and
+        // Pointer-to-member types aren't properly handled in the dbscheme.
+        not var.getResultType() instanceof PointerToMemberType
+      )
+      or
+      // `source` is an instruction that represents the return value of a
+      // function that is known to return stack-allocated memory.
+      exists(Call call |
+        call.getTarget().hasGlobalName(["alloca", "strdupa", "strndupa"]) and
+        source.getUnconvertedResultExpression() = call
+      )
     )
   }
 
@@ -85,10 +95,10 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
 }
 
 from
-  MustFlowPathNode source, MustFlowPathNode sink, VariableAddressInstruction var,
+  MustFlowPathNode source, MustFlowPathNode sink, Instruction instr,
   ReturnStackAllocatedMemoryConfig conf
 where
   conf.hasFlowPath(pragma[only_bind_into](source), pragma[only_bind_into](sink)) and
-  source.getInstruction() = var
+  source.getInstruction() = instr
 select sink.getInstruction(), source, sink, "May return stack-allocated memory from $@.",
-  var.getAst(), var.getAst().toString()
+  instr.getAst(), instr.getAst().toString()
