fix(c): reduce false positives in double-free and use-after-free rules

c/lang/security/double-free.c

@@ -1,4 +1,5 @@
 #include <stdlib.h>
+#include <string.h>
 
 int bad_code1() {
     char *var = malloc(sizeof(char) * 10);
@@ -25,3 +26,57 @@ int okay_code2() {
     free(var);
     return 0;
 }
+
+// return separates two mutually exclusive cleanup paths
+int okay_code3_return_separates(int error) {
+    char *var = malloc(sizeof(char) * 10);
+    if (!error) {
+        free(var);
+        return 0;
+    }
+    // ok: double-free
+    free(var);
+    return -1;
+}
+
+// goto-based error handling with return between free calls
+int okay_code4_goto_pattern(int flag) {
+    char *buf = malloc(100);
+    if (flag) {
+        free(buf);
+        return 0;
+    }
+    // ok: double-free
+    free(buf);
+    return -1;
+}
+
+// calloc reallocation between frees
+int okay_code5_calloc() {
+    char *var = malloc(sizeof(char) * 10);
+    free(var);
+    var = calloc(20, sizeof(char));
+    // ok: double-free
+    free(var);
+    return 0;
+}
+
+// realloc between frees
+int okay_code6_realloc() {
+    char *var = malloc(sizeof(char) * 10);
+    free(var);
+    var = realloc(NULL, 20);
+    // ok: double-free
+    free(var);
+    return 0;
+}
+
+// strdup between frees
+int okay_code7_strdup() {
+    char *var = strdup("hello");
+    free(var);
+    var = strdup("world");
+    // ok: double-free
+    free(var);
+    return 0;
+}

c/lang/security/double-free.yaml

@@ -13,6 +13,30 @@ rules:
       $VAR = malloc(...);
       ...
       free($VAR);
+  - pattern-not: |
+      free($VAR);
+      ...
+      $VAR = calloc(...);
+      ...
+      free($VAR);
+  - pattern-not: |
+      free($VAR);
+      ...
+      $VAR = realloc(...);
+      ...
+      free($VAR);
+  - pattern-not: |
+      free($VAR);
+      ...
+      $VAR = strdup(...);
+      ...
+      free($VAR);
+  - pattern-not: |
+      free($VAR);
+      ...
+      return ...;
+      ...
+      free($VAR);
   - pattern-inside: |
       free($VAR);
       ...

c/lang/security/function-use-after-free.c

@@ -66,3 +66,24 @@ int okay_code2() {
     other_func((char*)*var);
     return 0;
 }
+
+// calloc reallocation between free and use
+int okay_code3_calloc() {
+    NAME *var;
+    var = (NAME *)malloc(sizeof(struct name));
+    free(var);
+    var = calloc(1, sizeof(struct name));
+    // ok: function-use-after-free
+    other_func((char*)var);
+    return 0;
+}
+
+// strdup reallocation between free and use
+int okay_code4_strdup() {
+    char *var = strdup("hello");
+    free(var);
+    var = strdup("world");
+    // ok: function-use-after-free
+    other_func(var);
+    return 0;
+}

c/lang/security/function-use-after-free.yaml

@@ -22,6 +22,21 @@ rules:
           ...
           $VAR = malloc(...);
           ...
+      - pattern-not-inside:
+          free($VAR);
+          ...
+          $VAR = calloc(...);
+          ...
+      - pattern-not-inside:
+          free($VAR);
+          ...
+          $VAR = realloc(...);
+          ...
+      - pattern-not-inside:
+          free($VAR);
+          ...
+          $VAR = strdup(...);
+          ...
     message: Variable '$VAR' was passed to a function after being freed. This can lead to undefined behavior.
     metadata:
       cwe:

c/lang/security/use-after-free.c

@@ -1,5 +1,6 @@
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 
 typedef struct name {
     char *myname;
@@ -187,3 +188,35 @@ int bad_code7() {
     strcpy(buf, var);
     return 0;
 }
+
+// calloc reallocation between free and use
+int ok_code7_calloc() {
+    NAME *var;
+    var = (NAME *)malloc(sizeof(struct name));
+    free(var);
+    var = calloc(1, sizeof(struct name));
+    // ok: use-after-free
+    var->func("new allocation");
+    return 0;
+}
+
+// realloc reallocation between free and use
+int ok_code8_realloc() {
+    char *var;
+    var = (char *)malloc(100);
+    free(var);
+    var = realloc(NULL, 200);
+    // ok: use-after-free
+    char c = var[0];
+    return 0;
+}
+
+// strdup reallocation between free and use
+int ok_code9_strdup() {
+    char *var = strdup("hello");
+    free(var);
+    var = strdup("world");
+    // ok: use-after-free
+    char c = var[0];
+    return 0;
+}

c/lang/security/use-after-free.yaml

@@ -16,6 +16,21 @@ rules:
           ...
           $VAR = malloc(...);
           ...
+      - pattern-not-inside:
+          free($VAR);
+          ...
+          $VAR = calloc(...);
+          ...
+      - pattern-not-inside:
+          free($VAR);
+          ...
+          $VAR = realloc(...);
+          ...
+      - pattern-not-inside:
+          free($VAR);
+          ...
+          $VAR = strdup(...);
+          ...
     message: >-
       Variable '$VAR' was used after being freed. This can lead to undefined behavior.
     metadata: