From 47486a4d8d67c2c9dbe05278ac6e146043a7ba68 Mon Sep 17 00:00:00 2001
From: Chad Bentz <1760475+felickz@users.noreply.github.com>
Date: Tue, 10 Jun 2025 16:34:58 -0400
Subject: [PATCH] Update OverflowCalculated.ql

---
 cpp/ql/src/Critical/OverflowCalculated.ql | 26 ++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/src/Critical/OverflowCalculated.ql b/cpp/ql/src/Critical/OverflowCalculated.ql
index 8958da3b22f1..0e11ca18f159 100644
--- a/cpp/ql/src/Critical/OverflowCalculated.ql
+++ b/cpp/ql/src/Critical/OverflowCalculated.ql
@@ -1,7 +1,8 @@
 /**
- * @name Buffer not sufficient for string
- * @description A buffer allocated using 'malloc' may not have enough space for a string that is being copied into it. The operation can cause a buffer overrun. Make sure that the buffer contains enough room for the string (including the zero terminator).
+ * @name Buffer overflow from insufficient space or incorrect size calculation
+ * @description A buffer allocated using 'malloc' may not have enough space for a string being copied into it, or wide character functions may receive incorrect size parameters causing buffer overrun. Make sure that buffers contain enough room for strings (including zero terminator) and that size parameters are correctly calculated.
  * @kind problem
+ * @precision medium
  * @id cpp/overflow-calculated
  * @problem.severity warning
  * @security-severity 9.8
@@ -40,6 +41,25 @@ predicate spaceProblem(FunctionCall append, string msg) {
   )
 }
 
+predicate wideCharSizeofProblem(FunctionCall call, string msg) {
+  exists(
+    Variable buffer, SizeofExprOperator sizeofOp, ArrayType arrayType
+  |
+    // Function call is to wcsftime
+    call.getTarget().hasGlobalOrStdName("wcsftime") and
+    // Second argument (count parameter) is a sizeof operation
+    call.getArgument(1) = sizeofOp and
+    // The sizeof is applied to a buffer variable
+    sizeofOp.getExprOperand() = buffer.getAnAccess() and
+    // The buffer is an array of wchar_t
+    arrayType = buffer.getType() and
+    arrayType.getBaseType().hasName("wchar_t") and
+    msg =
+      "Using sizeof(" + buffer.getName() + ") passes byte count instead of wchar_t element count to wcsftime. " +
+      "Use sizeof(" + buffer.getName() + ")/sizeof(wchar_t) or array length instead."
+  )
+}
+
 from Expr problem, string msg
-where spaceProblem(problem, msg)
+where spaceProblem(problem, msg) or wideCharSizeofProblem(problem, msg)
 select problem, msg