Class BufferWrite
An operation that writes a variable amount of data to a buffer (strcpy, strncat, sprintf etc).
Note that there are two related class frameworks:
- BufferWrite provides detailed coverage of null-terminated buffer write operations.
- BufferAccess provides general coverage of buffer read and write operations whose size is either not data-dependent, or has an upper bound which is not data-dependent. This design has some overlaps between the two classes, for example the write of a ‘strncpy’.
Import path
import semmle.code.cpp.security.BufferWrite
Direct supertypes
Indirect supertypes
Known direct subtypes
Predicates
getASource | Gets a data source of this operation (e.g. the source string, format string; not necessarily copied as-is). |
getBWDesc | Gets a description of this buffer write. |
getBufferType | Gets the (unspecified) type of the buffer this operation works with (for example |
getCharSize | Gets the size of a single character of the type this operation works with, in bytes. |
getDest | Gets the destination buffer of this operation. |
getExplicitLimit | Gets the explicit limit of bytes copied by this operation, if it exists and it’s value can be determined. |
getMaxData | Gets an upper bound to the amount of data that’s being written (if one can be found). |
getMaxData | Gets an upper bound to the amount of data that’s being written (if one can be found), specifying the reason for the estimation. |
getMaxDataLimited | Gets an upper bound to the amount of data that’s being written (if one can be found), except that float to string conversions are assumed to be much smaller (8 bytes) than their true maximum length. This can be helpful in determining the cause of a buffer overflow issue. |
getMaxDataLimited | Gets an upper bound to the amount of data that’s being written (if one can be found), specifying the reason for the estimation, except that float to string conversions are assumed to be much smaller (8 bytes) than their true maximum length. This can be helpful in determining the cause of a buffer overflow issue. |
hasExplicitLimit | Holds if the operation has an explicit parameter that limits the amount of data written (e.g. |
Inherited predicates
findRootCause | Gets the source of this element: either itself or a macro that expanded to this element. | from Element |
fromSource | Holds if this element may be from source. This predicate holds for all elements, except for those in the dummy file, whose name is the empty string. The dummy file contains declarations that are built directly into the compiler. | from Element |
getAChild | Gets a child of this expression. | from Expr |
getAFalseSuccessor | Gets a node such that the control-flow edge | from ControlFlowNode |
getAPredecessor | Gets a direct predecessor of this control-flow node, if any. | from ControlFlowNode |
getAPrimaryQlClass | Gets the name of a primary CodeQL class to which this element belongs. | from ElementBase |
getASuccessor | Gets a direct successor of this control-flow node, if any. | from ControlFlowNode |
getATrueSuccessor | Gets a node such that the control-flow edge | from ControlFlowNode |
getActualType | Gets the type of this expression, after any implicit conversions and explicit casts, and after resolving typedefs. | from Expr |
getAnImplicitDestructorCall | Gets a compiler-generated destructor call that is performed after this expression. | from Expr |
getBasicBlock | Gets the | from ControlFlowNode |
getChild | Gets the nth child of this expression. | from Expr |
getControlFlowScope | Gets the function containing this control-flow node. | from Expr |
getConversion | Gets the conversion associated with this expression, if any. | from Expr |
getConversionString | Gets a string describing the conversion associated with this expression, or "" if there is none. | from Expr |
getEnclosingBlock | Gets the nearest enclosing set of curly braces around this expression in the source, if any. | from Expr |
getEnclosingDeclaration | Gets the enclosing variable or function of this expression. | from Expr |
getEnclosingElement | Gets the closest | from Element |
getEnclosingFunction | Gets the enclosing function of this expression, if any. | from Expr |
getEnclosingStmt | Gets the smallest statement containing this control-flow node. | from Expr |
getEnclosingVariable | Gets the enclosing variable of this expression, if any. | from Expr |
getExplicitlyConverted | Gets this expression with all of its explicit casts, but none of its implicit casts. More precisely this takes conversions up to the last explicit cast (there may be implicit conversions along the way), but does not include conversions after the last explicit cast. | from Expr |
getFile | Gets the primary file where this element occurs. | from Element |
getFullyConverted | Gets the fully converted form of this expression, including all type casts and other conversions. | from Expr |
getImplicitDestructorCall | Gets the | from Expr |
getImplicitlyConverted | Gets this expression with all of its initial implicit casts, but none of its explicit casts. More precisely, this takes all implicit conversions up to (but not including) the first explicit cast (if any). | from Expr |
getLocation | Gets the location of this expression. | from Expr |
getNumChild | Gets the number of direct children of this expression. | from Expr |
getParent | Gets the parent of this expression, if any. | from Expr |
getParentScope | Gets the parent scope of this | from Element |
getParentWithConversions | Gets the parent of this expression, if any, in an alternative syntax tree that has | from Expr |
getPrecedence | Gets the precedence of the main operator of this expression; higher precedence binds tighter. | from Expr |
getPrimaryQlClasses | Gets a comma-separated list of the names of the primary CodeQL classes to which this element belongs. | from ElementBase |
getType | Gets the type of this expression. | from Expr |
getUnconverted | Gets the unique non- | from Expr |
getUnderlyingType | Gets the type of this expression after typedefs have been resolved. | from Expr |
getUnspecifiedType | Gets the type of this expression after specifiers have been deeply stripped and typedefs have been resolved. | from Expr |
getValue | Gets the value of this expression, if it is a constant. | from Expr |
getValueCategoryString | Gets a string representation of the value category of the expression. This is intended only for debugging. The possible values are: | from Expr |
getValueText | Gets the source text for the value of this expression, if it is a constant. | from Expr |
hasChild | Holds if e is the nth child of this expression. | from Expr |
hasConversion | Holds if this expression has a conversion. | from Expr |
hasExplicitConversion | Holds if this expression has an explicit conversion. | from Expr |
hasImplicitConversion | Holds if this expression has an implicit conversion. | from Expr |
hasLValueToRValueConversion | Holds if this expression has undergone an lvalue-to-rvalue conversion to extract its value. for example: | from Expr |
isAffectedByMacro | Holds if this element is affected in any way by a macro. All elements that are totally or partially generated by a macro are included, so this is a super-set of | from Element |
isCompilerGenerated | Holds if this is an auxiliary expression generated by the compiler. | from Expr |
isCondition | Holds if this node is the top-level expression of a conditional statement, meaning that | from ControlFlowNode |
isConstant | Holds if this expression has a value that can be determined at compile time. | from Expr |
isFromTemplateInstantiation | Holds if this | from Element |
isFromUninstantiatedTemplate | Holds if this | from Element |
isGLValueCategory | Holds if this expression is a glvalue. A glvalue is either an lvalue or an xvalue. | from Expr |
isInMacroExpansion | Holds if this element comes from a macro expansion. Only elements that are entirely generated by a macro are included - for elements that partially come from a macro, see | from Element |
isLValue | Holds if this expression is an lvalue, in the sense of having an address. | from Expr |
isLValueCategory | Holds if this expression is an lvalue. An lvalue is an expression that represents a location, rather than a value. See [basic.lval] for more about lvalues. | from Expr |
isPRValueCategory | Holds if this expression is a prvalue. A prvalue is an expression that represents a value, rather than a location. See [basic.lval] for more about prvalues. | from Expr |
isParenthesised | Holds if this expression is parenthesised. | from Expr |
isPure | Holds if this expression is side-effect free (conservative approximation). This predicate cannot be overridden; override mayBeImpure() instead. | from Expr |
isRValueCategory | Holds if this expression is an rvalue. An rvalue is either a prvalue or an xvalue. | from Expr |
isUnevaluated | Holds if this expression will not be evaluated because of its context, such as an expression inside a sizeof. | from Expr |
isXValueCategory | Holds if this expression is an xvalue. An xvalue is a location whose lifetime is about to end (e.g. an rvalue reference returned from a function call). See [basic.lval] for more about xvalues. | from Expr |
mayBeGloballyImpure | Holds if it is possible that the expression may be impure. If we are not sure, then it holds. Unlike | from Expr |
mayBeImpure | Holds if it is possible that the expression may be impure. If we are not sure, then it holds. | from Expr |
toString | Gets a textual representation of this expression. | from Expr |