C++: should only match those functions that has the same number of parameters as the call has arguments.

2026-05-04 13:15:21 +02:00 · 2020-03-02 12:15:28 +01:00
parent 228bd73bd2
commit 14d836ba59
2 changed files with 12 additions and 1 deletions
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
@@ -22,7 +22,13 @@ Function viableCallable(CallInstruction call) {
  )
  or
  // Virtual dispatch
-  result = call.(VirtualDispatch::DataSensitiveCall).resolve()
+  result = call.(VirtualDispatch::DataSensitiveCall).resolve() and
+  (
+    call.getNumberOfArguments() <= result.getEffectiveNumberOfParameters() and
+    call.getNumberOfArguments() >= result.getEffectiveNumberOfParameters()
+    or
+    result.isVarargs()
+  )
 }

 /**
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
@@ -1202,6 +1202,11 @@ class CallInstruction extends Instruction {
  final Instruction getPositionalArgument(int index) {
    result = getPositionalArgumentOperand(index).getDef()
  }
+
+  /**
+   * Gets the number of arguments of the call, including the `this` pointer, if any.
+   */
+  final int getNumberOfArguments() { result = count(this.getAnArgumentOperand()) }
 }

 /**