C++: Resolve firstFormatArgumentIndex in FormattingFunction CP

2026-04-23 07:45:17 +02:00 · 2024-10-18 14:52:54 +01:00
parent 4341fab794
commit 419780591a
3 changed files with 22 additions and 29 deletions
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll
@@ -91,7 +91,7 @@ private class Sprintf extends FormattingFunction, NonThrowingFunction {
  override int getFirstFormatArgumentIndex() {
    if this.hasName("__builtin___sprintf_chk")
    then result = 4
-    else result = this.getNumberOfExplicitParameters()
+    else result = super.getFirstFormatArgumentIndex()
  }
 }

--- a/cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll
@@ -42,6 +42,18 @@ private Type getAFormatterWideTypeOrDefault() {
 * A standard library function that uses a `printf`-like formatting string.
 */
 abstract class FormattingFunction extends ArrayFunction, TaintFunction {
+  int firstFormatArgumentIndex;
+
+  FormattingFunction() {
+    firstFormatArgumentIndex > 0 and
+    if this.hasDefinition()
+    then firstFormatArgumentIndex = this.getDefinition().getNumberOfParameters()
+    else
+      forex(FunctionDeclarationEntry fde | fde = this.getAnExplicitDeclarationEntry() |
+        firstFormatArgumentIndex = fde.getNumberOfParameters()
+      )
+  }
+
  /** Gets the position at which the format parameter occurs. */
  abstract int getFormatParameterIndex();

@@ -121,34 +133,7 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction {
   * the first format specifier in the format string. We ignore all
   * implicit function definitions.
   */
-  int getFirstFormatArgumentIndex() {
-    // The formatting function either has a definition in the snapshot, or all
-    // `DeclarationEntry`s agree on the number of parameters (otherwise we don't
-    // really know the correct number)
-    result > 0 and // Avoid invalid declarations
-    if this.hasDefinition()
-    then result = this.getDefinition().getNumberOfParameters()
-    else result = this.getNumberOfExplicitParameters()
-  }
-
-  /**
-   * Gets a non-implicit function declaration entry.
-   */
-  private FunctionDeclarationEntry getAnExplicitDeclarationEntry() {
-    result = this.getADeclarationEntry() and
-    not result.isImplicit()
-  }
-
-  /**
-   * Gets the number of parameters, excluding any parameters that have been defined
-   * from implicit function declarations. If there is some inconsistency in the number
-   * of parameters, then don't return anything.
-   */
-  int getNumberOfExplicitParameters() {
-    forex(FunctionDeclarationEntry fde | fde = this.getAnExplicitDeclarationEntry() |
-      result = fde.getNumberOfParameters()
-    )
-  }
+  int getFirstFormatArgumentIndex() { result = firstFormatArgumentIndex }

  /**
   * Gets the position of the buffer size argument, if any.