hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20400 from MathiasVP/cleanup-incorrect-scanf-query

Browse Source 
C++: Cleanup `ScanfChecks.qll`
This commit is contained in:
Mathias Vorreiter Pedersen
2025-09-10 16:31:49 +01:00
committed by GitHub
parent edec76ae10 72d7223fd0
commit 4227dd7d73
1 changed files with 14 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
cpp/ql/src/Critical/ScanfChecks.qll
View File

@@ -4,14 +4,10 @@ private import semmle.code.cpp.controlflow.IRGuards
private import semmle.code.cpp.ir.ValueNumbering
private predicate exprInBooleanContext(Expr e) {
exists(IRGuardCondition gc |
exists(Instruction i |
exists(IRGuardCondition gc, Instruction i |
i.getUnconvertedResultExpression() = e and
gc.comparesEq(valueNumber(i).getAUse(), 0, _, _)
)
or
gc.getUnconvertedResultExpression() = e
)
}
private predicate isLinuxKernel() {
@@ -36,8 +32,7 @@ private string getEofValue() {
* Holds if the value of `call` has been checked to not equal `EOF`.
*/
private predicate checkedForEof(ScanfFunctionCall call) {
exists(IRGuardCondition gc |
exists(CallInstruction i | i.getUnconvertedResultExpression() = call |
exists(IRGuardCondition gc, CallInstruction i | i.getUnconvertedResultExpression() = call |
exists(int val | gc.comparesEq(valueNumber(i).getAUse(), val, _, _) |
// call == EOF
val = getEofValue().toInt()
@@ -51,7 +46,6 @@ private predicate checkedForEof(ScanfFunctionCall call) {
val >= 0
)
)
)
}
/**