C++: Fix swapped arguments in 'invalidPointerToDerefSource'.

cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll

@@ -102,8 +102,10 @@ private predicate invalidPointerToDerefSource(
     // delta is the constant difference between the pointer-arithmetic instruction
     // and the instruction computing the address for which we will search for a dereference.
     AllocToInvalidPointer::pointerAddInstructionHasBounds(source1, pai, _, delta0) and
-    bounded2(derefSource.asInstruction(), pai, delta) and
-    delta >= 0 and
+    // pai <= derefSource + delta and delta <= 0 is equivalent to
+    // derefSource >= pai + delta and delta >= 0
+    bounded1(pai, derefSource.asInstruction(), delta) and
+    delta <= 0 and
     // TODO: This condition will go away once #13725 is merged, and then we can make `Barrier2`
     // private to `AllocationToInvalidPointer.qll`.
     not derefSource.getBasicBlock() = AllocToInvalidPointer::Barrier2::getABarrierBlock(delta0)