-
|
In the following C code, 1: void foo() {
2: int myval = 1;
3: myval += 2;
4: int myarr[myval];
5: ...
6: }My initial goal was to investigate potential out-of-bounds access issues, exemplified by code like In cases where the initialization code is statically deterministic, as in The official example code also focuses on cases with statically deterministic initialization. Is there anyone who can assist me in devising a query to address the initial problem? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Hi @hyunsooda 👋🏻 Thank you for your question! You can get hold of the expression used to dynamically set the size of an array through the from VlaDimensionStmt s
select s, s.getDimensionExpr()If run on your sample code, this will return one result where We expose a |
Beta Was this translation helpful? Give feedback.
-
|
Hi @mbg, Apologies for the delayed response. Your comment greatly aided my understanding of CodeQL. I successfully resolved the initial issue and have extended it to create a PoC. Thank you! |
Beta Was this translation helpful? Give feedback.
Hi @hyunsooda 👋🏻
Thank you for your question! You can get hold of the expression used to dynamically set the size of an array through the
VlaDimensionStmttype. For example:If run on your sample code, this will return one result where
getDimensionExpr()points at the expression of justmyval.We expose a
getValue()predicate on expressions, but that will only return a result if the value is constant, which it is not here. We have experimentalexperimental.semmle.code.cpp.rangeanalysis.ArrayLengthAnalysisandexperimental.semmle.code.cpp.rangeanalysis.InBoundsPointerDereflibraries which might be of interest to you.