C++: Fix the issue.

geoffw0 · geoffw0 · commit 0f794b57ed74 · 2026-03-19T13:16:16.000Z
diff --git a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
@@ -18,7 +18,8 @@ import IncorrectPointerScalingCommon
 private predicate isCharSzPtrExpr(Expr e) {
   exists(PointerType pt | pt = e.getFullyConverted().getUnspecifiedType() |
     pt.getBaseType() instanceof CharType or
-    pt.getBaseType() instanceof VoidType
+    pt.getBaseType() instanceof VoidType or
+    pt.getBaseType() instanceof ErroneousType // this could be char / void type in a successful compilation
   )
 }
 
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.expected
@@ -1,8 +1,5 @@
 | buildless.cpp:5:15:5:25 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | const short * | const short * |
 | buildless.cpp:6:13:6:23 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | const int * | const int * |
-| buildless.cpp:7:11:7:21 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | const <error-type> * | const <error-type> * |
-| buildless.cpp:8:12:8:22 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | const <error-type> * | const <error-type> * |
-| buildless.cpp:9:12:9:22 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | const <error-type> * | const <error-type> * |
 | test.cpp:6:30:6:40 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
 | test.cpp:14:30:14:40 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
 | test.cpp:22:25:22:35 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp
@@ -4,7 +4,7 @@ void test_buildless(const char *p_c, const short *p_short, const int *p_int, con
   *(p_c + sizeof(int)); // GOOD (`sizeof(char)` is 1)
   *(p_short + sizeof(int)); // BAD
   *(p_int + sizeof(int)); // BAD
-  *(p_8 + sizeof(int)); // GOOD (`sizeof(p_8)` is 1) [FALSE POSITIVE]
-  *(p_16 + sizeof(int)); // BAD
-  *(p_32 + sizeof(int)); // BAD
+  *(p_8 + sizeof(int)); // GOOD (`sizeof(p_8)` is 1, but there's an error in the type)
+  *(p_16 + sizeof(int)); // BAD [NOT DETECTED]
+  *(p_32 + sizeof(int)); // BAD [NOT DETECTED]
 }

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,8 @@ import IncorrectPointerScalingCommon`
`18`	`18`	`private predicate isCharSzPtrExpr(Expr e) {`
`19`	`19`	`exists(PointerType pt \| pt = e.getFullyConverted().getUnspecifiedType() \|`
`20`	`20`	`pt.getBaseType() instanceof CharType or`
`21`		`- pt.getBaseType() instanceof VoidType`
	`21`	`+ pt.getBaseType() instanceof VoidType or`
	`22`	`+ pt.getBaseType() instanceof ErroneousType // this could be char / void type in a successful compilation`
`22`	`23`	`)`
`23`	`24`	`}`
`24`	`25`