CPP: Fix in dataflow.

cpp/ql/src/semmle/code/cpp/security/TaintTracking.qll

@@ -75,7 +75,11 @@ predicate moveToDependingOnSide(Expr src, Expr dest) {
     and (base = binop.getLeftOperand() or base = binop.getRightOperand())
     and isPointer(base.getType())
     and base.getTarget() instanceof LocalScopeVariable
-    and src = base)
+    and src = base
+
+    // flow through pointer-pointer subtraction is dubious, the result should be
+    // a number bounded by the size of the pointed-to thing.
+    and not binop instanceof PointerDiffExpr)
   or exists (UnaryOperation unop |
     dest = unop
     and unop.getAnOperand() = src)

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected

@@ -4,4 +4,3 @@
 | test.cpp:49:17:49:30 | new[] | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:55:11:55:24 | new[] | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:79:9:79:29 | new[] | This allocation size is derived from $@ and might overflow | test.cpp:97:18:97:23 | buffer | user input (fread) |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp

@@ -76,7 +76,7 @@ void processData2(char *start, char *end)
 {
 	char *copy;
 
-	copy = new char[end - start]; // GOOD [FALSE POSITIVE]
+	copy = new char[end - start]; // GOOD
 
 	// ...