add detection of errant equal, mismatch, and is_permutation

flawfinder

@@ -816,9 +816,15 @@ def c_static_array(hit):
         add_warning(hit)  # Found a static array, warn about it.
 
 
-def normal(hit):
+def cpp_unsafe_stl(hit):
+    # Use one of the overloaded classes from the STL in C++14 and higher
+    # instead of the <C++14 versions of theses functions that did not
+    # if the second iterator could overflow
+    if len(hit.parameters) <= 4:
         add_warning(hit)
 
+def normal(hit):
+    add_warning(hit)
 
 # "c_ruleset": the rules for identifying "hits" in C (potential warnings).
 # It's a dictionary, where the key is the function name causing the hit,
@@ -1309,6 +1315,13 @@ c_ruleset = {
      "Make sure input data is filtered, especially if an attacker could manipulate it",
      "input", "", {'input': 1}),
 
+    # Unsafe STL functions that don't check the second iterator
+    "equal|mismatch|is_permutation":
+    (cpp_unsafe_stl,
+     2, # need further analysis to consider risk level
+     "Function does not check the second iterator for overflow conditions (CWE-119/CWE-120)",
+     "These functions are typically banned by most C++ coding standards in favor of their safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it",
+     "buffer", "", {}),
 
     # TODO: detect C++'s:   cin >> charbuf, where charbuf is a char array; the problem
     #       is that flawfinder doesn't have type information, and ">>" is safe with