Merge pull request #17354 from paldepind/realloc-data-flow

C++: Make realloc a data-flow function
2026-05-05 13:45:19 +02:00 · 2024-09-04 09:04:12 +02:00
parent 99400fe3d4 75643043bc
commit 04f4039adc
11 changed files with 95 additions and 66 deletions
--- a/cpp/ql/lib/change-notes/2024-09-03-realloc-data-flow.md
+++ b/cpp/ql/lib/change-notes/2024-09-03-realloc-data-flow.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added a data flow model for `realloc`-like functions, which were previously modeled as a taint tracking functions. This change improves the precision of queries where flow through `realloc`-like functions might affect the results.
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll
@@ -5,13 +5,13 @@
 */

 import semmle.code.cpp.models.interfaces.Allocation
-import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.DataFlow

 /**
 * An allocation function (such as `realloc`) that has an argument for the size
 * in bytes, and an argument for an existing pointer that is to be reallocated.
 */
-private class ReallocAllocationFunction extends AllocationFunction, TaintFunction {
+private class ReallocAllocationFunction extends AllocationFunction, DataFlowFunction {
  int sizeArg;
  int reallocArg;

@@ -44,7 +44,7 @@ private class ReallocAllocationFunction extends AllocationFunction, TaintFunctio

  override int getReallocPtrArg() { result = reallocArg }

-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
    input.isParameterDeref(this.getReallocPtrArg()) and output.isReturnValueDeref()
  }
 }