Merge pull request #20014 from jketema/wchar

MathiasVP · web-flow · commit 649c8831ec42 · 2025-07-11T13:39:37.000+01:00
C++: Do not alert on unreachable code in `cpp/incorrect-string-type-conversion`
diff --git a/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql b/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
@@ -14,6 +14,7 @@
 
 import cpp
 import semmle.code.cpp.controlflow.Guards
+import semmle.code.cpp.ir.IR
 
 class WideCharPointerType extends PointerType {
   WideCharPointerType() { this.getBaseType() instanceof WideCharType }
@@ -108,7 +109,9 @@ where
   // Avoid cases where the cast is guarded by a check to determine if
   // unicode encoding is enabled in such a way to disallow the dangerous cast
   // at runtime.
-  not isLikelyDynamicallyChecked(e1)
+  not isLikelyDynamicallyChecked(e1) and
+  // Avoid cases in unreachable blocks.
+  any(EnterFunctionInstruction e).getASuccessor+().getAst() = e1
 select e1,
   "Conversion from " + e1.getType().toString() + " to " + e2.getType().toString() +
     ". Use of invalid string can lead to undefined behavior."
diff --git a/cpp/ql/src/change-notes/2025-07-10-wchar-fp.md b/cpp/ql/src/change-notes/2025-07-10-wchar-fp.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `cpp/incorrect-string-type-conversion` query no longer alerts on incorrect type conversions that occur in unreachable code.
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.cpp
@@ -18,13 +18,13 @@ void Test()
 	wchar_t *lpWchar = NULL;
 	LPCSTR lpcstr = "b";
 
-	lpWchar = (LPWSTR)"a"; // BUG
-	lpWchar = (LPWSTR)lpcstr; // BUG
+	lpWchar = (LPWSTR)"a"; // $ Alert
+	lpWchar = (LPWSTR)lpcstr; // $ Alert
 
-	lpWchar = (wchar_t*)lpChar;	// BUG
+	lpWchar = (wchar_t*)lpChar;	// $ Alert
 
-	fconstWChar((LPCWSTR)lpChar);	// BUG
-	fWChar((LPWSTR)lpChar);			// BUG
+	fconstWChar((LPCWSTR)lpChar);	// $ Alert
+	fWChar((LPWSTR)lpChar);			// $ Alert
 
 	lpChar = (LPSTR)"a"; // Valid
 	lpWchar = (LPWSTR)L"a"; // Valid
@@ -79,33 +79,64 @@ void CheckedConversionFalsePositiveTest3(unsigned short flags, LPTSTR buffer)
 	if(flags & UNICODE)
 		lpWchar = (LPWSTR)buffer; // GOOD
 	else
-		lpWchar = (LPWSTR)buffer; // BUG
+		lpWchar = (LPWSTR)buffer; // $ Alert
 
 	if((flags & UNICODE) == 0x8)
 		lpWchar = (LPWSTR)buffer; // GOOD
 	else
-		lpWchar = (LPWSTR)buffer; // BUG
+		lpWchar = (LPWSTR)buffer; // $ Alert
 
 	if((flags & UNICODE) != 0x8)
-		lpWchar = (LPWSTR)buffer; // BUG
+		lpWchar = (LPWSTR)buffer; // $ Alert
 	else
 		lpWchar = (LPWSTR)buffer; // GOOD
 
 	// Bad operator precedence
 	if(flags & UNICODE == 0x8)
-		lpWchar = (LPWSTR)buffer; // BUG
+		lpWchar = (LPWSTR)buffer; // $ Alert
 	else
-		lpWchar = (LPWSTR)buffer; // BUG
+		lpWchar = (LPWSTR)buffer; // $ Alert
 
 	if((flags & UNICODE) != 0)
 		lpWchar = (LPWSTR)buffer; // GOOD
 	else
-		lpWchar = (LPWSTR)buffer; // BUG
+		lpWchar = (LPWSTR)buffer; // $ Alert
 
 	if((flags & UNICODE) == 0)
-		lpWchar = (LPWSTR)buffer; // BUG
+		lpWchar = (LPWSTR)buffer; // $ Alert
 	else
 		lpWchar = (LPWSTR)buffer; // GOOD
 
-	lpWchar = (LPWSTR)buffer; // BUG
+	lpWchar = (LPWSTR)buffer; // $ Alert
+}
+
+typedef unsigned long long size_t;
+
+size_t wcslen(const wchar_t *str);
+size_t strlen(const char* str);
+
+template<typename C>
+size_t str_len(const C *str) {
+	if (sizeof(C) != 1) {
+		return wcslen((const wchar_t *)str); // GOOD -- unreachable code
+	}
+
+	return strlen((const char *)str);
+}
+
+template<typename C>
+size_t wrong_str_len(const C *str) {
+	if (sizeof(C) == 1) {
+		return wcslen((const wchar_t *)str); // $ Alert
+	}
+
+	return strlen((const char *)str);
+}
+
+void test_str_len(const wchar_t *wstr, const char *str) {
+	size_t len =
+	  str_len(wstr) + 
+	  str_len(str) +
+	  wrong_str_len(wstr) +
+	  wrong_str_len(str);
 }
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.expected
@@ -11,3 +11,4 @@
 | WcharCharConversion.cpp:103:21:103:26 | buffer | Conversion from LPTSTR to LPWSTR. Use of invalid string can lead to undefined behavior. |
 | WcharCharConversion.cpp:106:21:106:26 | buffer | Conversion from LPTSTR to LPWSTR. Use of invalid string can lead to undefined behavior. |
 | WcharCharConversion.cpp:110:20:110:25 | buffer | Conversion from LPTSTR to LPWSTR. Use of invalid string can lead to undefined behavior. |
+| WcharCharConversion.cpp:130:34:130:36 | str | Conversion from const char * to const wchar_t *. Use of invalid string can lead to undefined behavior. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.qlref
@@ -1 +1,2 @@
-Security/CWE/CWE-704/WcharCharConversion.ql
+query: Security/CWE/CWE-704/WcharCharConversion.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The `cpp/incorrect-string-type-conversion` query no longer alerts on incorrect type conversions that occur in unreachable code.
Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-Security/CWE/CWE-704/WcharCharConversion.ql`
	`1`	`+query: Security/CWE/CWE-704/WcharCharConversion.ql`
	`2`	`+postprocess: utils/test/InlineExpectationsTestQuery.ql`