From fc07f1864405aca26c63d3d8fcbc28f34725c8dc Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Thu, 23 Sep 2021 09:54:59 +0100
Subject: [PATCH] Add CodeQL query to detect variants of issue #1920.

---
 .../exiv2-cpp-queries/signed_shift.ql         | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 .github/codeql-queries/exiv2-cpp-queries/signed_shift.ql

diff --git a/.github/codeql-queries/exiv2-cpp-queries/signed_shift.ql b/.github/codeql-queries/exiv2-cpp-queries/signed_shift.ql
new file mode 100644
index 00000000..a33ec8d2
--- /dev/null
+++ b/.github/codeql-queries/exiv2-cpp-queries/signed_shift.ql
@@ -0,0 +1,24 @@
+/**
+ * @name Signed shift
+ * @description Shifting a negative number is undefined behavior,
+ *              so it is risky to shift a signed number.
+ * @kind problem
+ * @problem.severity warning
+ * @id cpp/signed-shift
+ * @tags security
+ *       external/cwe/cwe-758
+ */
+
+// See the "Bitwise shift operators" section here:
+// https://en.cppreference.com/w/cpp/language/operator_arithmetic
+import cpp
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+
+from BinaryBitwiseOperation shift, Expr lhs
+where
+  (shift instanceof LShiftExpr or shift instanceof RShiftExpr) and
+  lhs = shift.getLeftOperand().getFullyConverted() and
+  lowerBound(lhs) < 0
+select shift,
+  "This signed shift could cause undefined behavior if the value is negative. Type of lhs: " +
+    lhs.getType().toString()