CPP: Handle array accesses.

cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql

@@ -15,7 +15,8 @@ import cpp
 // or accesses a possibly stack allocated local variables
 predicate exprMaybeStackAllocated(Expr e) {
   e instanceof AggregateLiteral or
-  varMaybeStackAllocated(e.(VariableAccess).getTarget())
+  varMaybeStackAllocated(e.(VariableAccess).getTarget()) or
+  exprMayPointToStack(e.(ArrayExpr).getArrayBase())
 }
 
 // a local variable is possibly stack allocated if it is not static and
@@ -34,9 +35,11 @@ predicate exprMayPointToStack(Expr e) {
   or
   varMayPointToStack(e.(VariableAccess).getTarget())
   or
-  exprMaybeStackAllocated(e) and
-  e.getType() instanceof ArrayType and
-  e.getFullyConverted().getType() instanceof PointerType
+  (
+    exprMaybeStackAllocated(e) and
+    e.getType() instanceof ArrayType and
+    e.getFullyConverted().getType() instanceof PointerType
+  )
 }
 
 // a local variable possibly points to the stack if it is initialized to/assigned to

cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnCstrOfLocalStdString.expected

@@ -2,3 +2,4 @@
 | test.cpp:20:2:20:12 | return ... | May return stack-allocated memory. |
 | test.cpp:73:2:73:12 | return ... | May return stack-allocated memory. |
 | test.cpp:93:2:93:12 | return ... | May return stack-allocated memory. |
+| test.cpp:100:2:100:19 | return ... | May return stack-allocated memory. |

cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp

@@ -97,7 +97,7 @@ char *testArray2()
 {
 	char arr[256];
 
-	return &(arr[10]); // BAD [NOT DETECTED]
+	return &(arr[10]); // BAD
 }
 
 char testArray3()