Massaging cpp leap year AP1

ropwareJB · ropwareJB · commit aba87c5124c7 · 2025-12-18T12:30:12.000-08:00
diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql
@@ -12,55 +12,6 @@
 import cpp
 import LeapYear
 
-/**
- * Holds if there is no known leap-year verification for the given `YearWriteOp`.
- * Binds the `var` argument to the qualifier of the `ywo` argument.
- */
-bindingset[ywo]
-predicate isYearModifedWithoutExplicitLeapYearCheck(Variable var, YearWriteOp ywo) {
-  exists(VariableAccess va, YearFieldAccess yfa |
-    yfa = ywo.getYearAccess() and
-    yfa.getQualifier() = va and
-    var.getAnAccess() = va and
-    // Avoid false positives
-    not (
-      // If there is a local check for leap year after the modification
-      exists(LeapYearFieldAccess yfacheck |
-        yfacheck.getQualifier() = var.getAnAccess() and
-        yfacheck.isUsedInCorrectLeapYearCheck() and
-        yfacheck.getBasicBlock() = yfa.getBasicBlock().getASuccessor*()
-      )
-      or
-      // If there is a data flow from the variable that was modified to a function that seems to check for leap year
-      exists(VariableAccess source, ChecksForLeapYearFunctionCall fc |
-        source = var.getAnAccess() and
-        LeapYearCheckFlow::flow(DataFlow::exprNode(source), DataFlow::exprNode(fc.getAnArgument()))
-      )
-      or
-      // If there is a data flow from the field that was modified to a function that seems to check for leap year
-      exists(VariableAccess vacheck, YearFieldAccess yfacheck, ChecksForLeapYearFunctionCall fc |
-        vacheck = var.getAnAccess() and
-        yfacheck.getQualifier() = vacheck and
-        LeapYearCheckFlow::flow(DataFlow::exprNode(yfacheck), DataFlow::exprNode(fc.getAnArgument()))
-      )
-      or
-      // If there is a successor or predecessor that sets the month or day to a fixed value
-      exists(FieldAccess mfa, AssignExpr ae, int val |
-        mfa instanceof MonthFieldAccess or mfa instanceof DayFieldAccess
-      |
-        mfa.getQualifier() = var.getAnAccess() and
-        mfa.isModified() and
-        (
-          mfa.getBasicBlock() = yfa.getBasicBlock().getASuccessor*() or
-          yfa.getBasicBlock() = mfa.getBasicBlock().getASuccessor+()
-        ) and
-        ae = mfa.getEnclosingElement() and
-        ae.getAnOperand().getValue().toInt() = val
-      )
-    )
-  )
-}
-
 /**
  * The set of all write operations to the Year field of a date struct.
  */
@@ -70,6 +21,61 @@ abstract class YearWriteOp extends Operation {
 
   /** Get the expression which represents the new value. */
   abstract Expr getMutationExpr();
+
+  /**
+   * Checks if this Operation is a simple normalization, converting between formats.
+   */
+  predicate isNormalizationOperation(){
+    isNormalizationOperation(this.getMutationExpr())
+  }
+
+  /**
+   * Holds if there is no known leap-year verification for the `YearWriteOp`.
+   * Binds the `var` argument to the qualifier of the `ywo` argument.
+   */
+  predicate isYearModifedWithoutExplicitLeapYearCheck(Variable var) {
+    exists(VariableAccess va, YearFieldAccess yfa |
+      yfa = this.getYearAccess() and
+      yfa.getQualifier() = va and
+      var.getAnAccess() = va and
+      // Avoid false positives
+      not (
+        // If there is a local check for leap year after the modification
+        exists(LeapYearFieldAccess yfacheck |
+          yfacheck.getQualifier() = var.getAnAccess() and
+          yfacheck.isUsedInCorrectLeapYearCheck() and
+          yfacheck.getBasicBlock() = yfa.getBasicBlock().getASuccessor*()
+        )
+        or
+        // If there is a data flow from the variable that was modified to a function that seems to check for leap year
+        exists(VariableAccess source, ChecksForLeapYearFunctionCall fc |
+          source = var.getAnAccess() and
+          LeapYearCheckFlow::flow(DataFlow::exprNode(source), DataFlow::exprNode(fc.getAnArgument()))
+        )
+        or
+        // If there is a data flow from the field that was modified to a function that seems to check for leap year
+        exists(VariableAccess vacheck, YearFieldAccess yfacheck, ChecksForLeapYearFunctionCall fc |
+          vacheck = var.getAnAccess() and
+          yfacheck.getQualifier() = vacheck and
+          LeapYearCheckFlow::flow(DataFlow::exprNode(yfacheck), DataFlow::exprNode(fc.getAnArgument()))
+        )
+        or
+        // If there is a successor or predecessor that sets the month or day to a fixed value
+        exists(FieldAccess mfa, AssignExpr ae, int val |
+          mfa instanceof MonthFieldAccess or mfa instanceof DayFieldAccess
+        |
+          mfa.getQualifier() = var.getAnAccess() and
+          mfa.isModified() and
+          (
+            mfa.getBasicBlock() = yfa.getBasicBlock().getASuccessor*() or
+            yfa.getBasicBlock() = mfa.getBasicBlock().getASuccessor+()
+          ) and
+          ae = mfa.getEnclosingElement() and
+          ae.getAnOperand().getValue().toInt() = val
+        )
+      )
+    )
+  }
 }
 
 /**
@@ -125,14 +131,37 @@ module OperationToYearAssignmentConfig implements DataFlow::ConfigSig {
 
 module OperationToYearAssignmentFlow = DataFlow::Global<OperationToYearAssignmentConfig>;
 
-from Variable var, YearWriteOp ywo, Expr mutationExpr
+/**
+ * A Call to some known Time conversion function, which maps between time structs or scalars.
+ */
+class TimeConversionCall extends Call{
+  TimeConversionCall(){
+    this = any(TimeConversionFunction f).getACallToThisFunction()
+  }
+
+  bindingset[var]
+  predicate converts(Variable var){
+    this.getAnArgument().getAChild*() = var.getAnAccess()
+  }
+}
+
+/**
+ * A YearWriteOp that is non-mutating (AddressOfExpr *could* mutate but doesnt)
+ */
+class NonMutatingYearWriteOp extends Operation instanceof YearWriteOp{
+  NonMutatingYearWriteOp(){
+    this instanceof AddressOfExpr
+  }
+}
+
+from Variable var, YearWriteOp ywo
 where
-  mutationExpr = ywo.getMutationExpr() and
-  isYearModifedWithoutExplicitLeapYearCheck(var, ywo) and
-  not isNormalizationOperation(mutationExpr) and
-  not ywo instanceof AddressOfExpr and
-  not exists(Call c, TimeConversionFunction f | f.getACallToThisFunction() = c |
-    c.getAnArgument().getAChild*() = var.getAnAccess() and
+  not ywo.isNormalizationOperation() and
+  not ywo instanceof NonMutatingYearWriteOp and
+  ywo.isYearModifedWithoutExplicitLeapYearCheck(var) and
+  // If there is a Time conversion after, which utilizes the variable - could lead to false negatives maybe?
+  not exists(TimeConversionCall c |
+    c.converts(var) and
     ywo.getASuccessor*() = c
   )
 select ywo,
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp
@@ -46,6 +46,8 @@ typedef struct _TIME_DYNAMIC_ZONE_INFORMATION {
 	BOOLEAN DynamicDaylightTimeDisabled;
 } DYNAMIC_TIME_ZONE_INFORMATION, *PDYNAMIC_TIME_ZONE_INFORMATION;
 
+typedef const wchar_t* LPCWSTR;
+
 struct tm
 {
 	int tm_sec;   // seconds after the minute - [0, 60] including leap second
@@ -111,6 +113,10 @@ TzSpecificLocalTimeToSystemTimeEx(
 	LPSYSTEMTIME lpUniversalTime
 );
 
+int _wtoi(
+   const wchar_t *str
+);
+
 void GetSystemTime(
 	LPSYSTEMTIME lpSystemTime
 );
@@ -1004,3 +1010,48 @@ bool tp_intermediaryVar(struct timespec now, struct logtime &timestamp_remote)
 		tm.tm_mday = tm.tm_mon == 2 && tm.tm_mday == 29 && !isLeapYear ? 28 : tm.tm_mday;
 		return tm;
 	}
+
+/**
+* Negative Case - Anti-pattern 1: [year ±n, month, day]
+* Modification of SYSTEMTIME struct by copying from another struct, but no arithmetic is performed.
+*/
+bool
+FMAPITimeToSysTimeW(LPCWSTR wszTime, SYSTEMTIME *psystime)
+{
+	// if (!wszTime || SafeIsBadReadPtr(wszTime, 1) || lstrlenW(wszTime) != cchMAPITime)
+	// 	return false;
+	// AssertTag(!SafeIsBadWritePtr(psystime, sizeof(SYSTEMTIME)), 0x0004289a /* tag_abc80 */);
+	// memset(psystime, 0, sizeof(SYSTEMTIME));
+
+	psystime->wYear = (WORD)_wtoi(wszTime);
+	psystime->wMonth = (WORD)_wtoi(wszTime+5);
+	psystime->wDay = (WORD)_wtoi(wszTime+8);
+	psystime->wHour = (WORD)_wtoi(wszTime+11);
+	psystime->wMinute = (WORD)_wtoi(wszTime+14);
+	return true;
+}
+
+/**
+* Negative Case - Anti-pattern 1: [year ±n, month, day]
+* Modification of SYSTEMTIME struct by copying from another struct, but no arithmetic is performed.
+*/
+bool
+ATime::HrGetSysTime(
+	SYSTEMTIME	*pst
+	) const
+{
+	// if (!FValidSysTime())
+	// 	{
+	// 	TrapSzTag("ATime cannot be converted to SYSTEMTIME", 0x1e14f5c3 /* tag_4fpxd */);
+	// 	CORgTag(E_FAIL, 0x6c373230 /* tag_l720 */);
+	// 	}
+	
+	// pst->wYear = static_cast<WORD>(m_lYear);
+	// pst->wMonth = static_cast<WORD>(m_lMonth);
+	// //pst->wDayOfWeek = ???;
+	// pst->wDay = static_cast<WORD>(m_lDay);
+	// pst->wHour = static_cast<WORD>(m_lHour);
+	// pst->wMinute = static_cast<WORD>(m_lMinute);
+	// pst->wSecond = static_cast<WORD>(m_lSecond);
+	// pst->wMilliseconds = 0;
+}
