Merge pull request #2799 from MathiasVP/missing-flow-in-crement

C++: Fix false negatives for postfix crement expressions
2025-12-20 10:46:30 +01:00 · 2020-02-12 15:03:48 +01:00
parent 12113e947f c8be67ce0e
commit 2abe416670
1 changed files with 6 additions and 0 deletions
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
@@ -335,6 +335,12 @@ private Element adjustedSink(DataFlow::Node sink) {
  // For compatibility, send flow into a `NotExpr` even if it's part of a
  // short-circuiting condition and thus might get skipped.
  result.(NotExpr).getOperand() = sink.asExpr()
+  or
+  // Taint postfix and prefix crement operations when their operand is tainted.
+  result.(CrementOperation).getAnOperand() = sink.asExpr()
+  or
+  // Taint `e1 += e2`, `e &= e2` and friends when `e1` or `e2` is tainted.
+  result.(AssignOperation).getAnOperand() = sink.asExpr()
 }

 predicate tainted(Expr source, Element tainted) {