C++: Stop taint from flowing to arithmetic types

These are not likely to give the user much control over what can be accessed.

cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/stdlib.h

@@ -6,6 +6,7 @@
 typedef struct {} FILE;
 #define FILENAME_MAX 1000
 typedef unsigned long size_t;
+#define NULL ((void*)0)
 
 FILE *fopen(const char *filename, const char *mode);
 int sprintf(char *s, const char *format, ...);
@@ -13,3 +14,4 @@ size_t strlen(const char *s);
 char *strncat(char *s1, const char *s2, size_t n);
 int scanf(const char *format, ...);
 void *malloc(size_t size);
+double strtod(const char *ptr, char **endptr);

cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/test.c

@@ -43,4 +43,12 @@ int main(int argc, char** argv) {
     scanf("%s", fileName);
     fopen(fileName, "wb+"); // BAD
   }
+
+  {
+    char *aNumber = getenv("A_NUMBER");
+    double number = strtod(aNumber, 0);
+    char fileName[20];
+    sprintf(fileName, "/foo/%f", number);
+    fopen(fileName, "wb+"); // GOOD
+  }
 }