CPP: Use dataflow more consistently.

2026-04-30 03:05:15 +02:00 · 2019-11-19 17:54:04 +00:00
parent e6ea705ff2
commit 2212c47db2
1 changed files with 4 additions and 8 deletions
--- a/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+++ b/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
@@ -22,19 +22,15 @@ class MallocCall extends FunctionCall {
  MallocCall() { this.getTarget().hasGlobalOrStdName("malloc") }

  Expr getAllocatedSize() {
-    if this.getArgument(0) instanceof VariableAccess
-    then
-      exists(LocalScopeVariable v, ControlFlowNode def |
-        definitionUsePair(v, def, this.getArgument(0)) and
-        exprDefinition(v, def, result)
-      )
-    else result = this.getArgument(0)
+    result = this.getArgument(0)
  }
 }

 predicate terminationProblem(MallocCall malloc, string msg) {
  // malloc(strlen(...))
-  malloc.getAllocatedSize() instanceof StrlenCall and
+  exists(StrlenCall strlen |
+    DataFlow::localExprFlow(strlen, malloc.getAllocatedSize())
+  ) and
  // flows into a null-terminated string function
  exists(ArrayFunction af, FunctionCall fc, int arg |
    DataFlow::localExprFlow(malloc, fc.getArgument(arg)) and