CVE-2021-34334: Extra checking to prevent loop counter from wrapping around by kevinbackhouse · Pull Request #1766 · Exiv2/exiv2

I used two CodeQL queries to find loop conditions similar to the original bug. Both queries have quite a few false positives, so I ignored some of the results.

The first query looks for loop conditions of the form a < b where the value of b could be larger than the type of a is capable of representing. For example: a is a uint16_t and b is a size_t.

import cpp
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils

from Loop loop, RelationalOperation cmp, Expr a, Expr b, LocalVariable v
where loop.getCondition().getAChild*() = cmp
and a = cmp.getLesserOperand()
and b = cmp.getGreaterOperand()
and exprMaxVal(a) < upperBound(b.getFullyConverted())
and a.getAChild*() = v.getAnAccess()
select cmp, a, b

The second query looks for loop conditions that do arithmetic in the comparison. For example: a < size-10.

import cpp

// Find loop conditions like this: `while (a < size-10)`.
// Conditions like that are often an overflow risk.
from Loop loop, RelationalOperation cmp, BinaryArithmeticOperation binop
where
  loop.getCondition().getAChild*() = cmp and
  binop = cmp.getAnOperand() and
  not binop.isConstant() and
  // Ignore results in the standard libraries and in the xmpsdk subdirectory.
  exists (string path |
    path = cmp.getLocation().getFile().getRelativePath() and
    not path.matches("xmpsdk/%"))
select binop, "Arithmetic in loop condition."