C++: Compute the number of indirections from MaD using a new predicate.

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll

@@ -262,3 +262,22 @@ module Private {
 }
 
 module Public = Impl::Public;
+
+/**
+ * Gets the number of indirections that can be returned by the function
+ * modelled using the given MaD row.
+ */
+int indirectionForModelledFunction(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext,
+  string input, string output, string kind, string provenance
+) {
+  summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, provenance) and
+  (
+    // Return the number of stars in `ReturnValue[...]`
+    result = output.regexpCapture("ReturnValue\\[(\\*+)\\]", 1).length()
+    or
+    // There are no brackets the result is 0
+    output = "ReturnValue" and
+    result = 0
+  )
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -459,6 +459,8 @@ private newtype TReturnKind =
   TNormalReturnKind(int indirectionIndex) {
     Ssa::hasIndirectOperand(any(ReturnValueInstruction ret).getReturnAddressOperand(),
       indirectionIndex + 1) // We subtract one because the return loads the value.
+    or
+    indirectionIndex = FlowSummaryImpl::indirectionForModelledFunction(_, _, _, _, _, _, _, _, _, _)
   } or
   TIndirectReturnKind(int argumentIndex, int indirectionIndex) {
     exists(Ssa::FinalParameterUse use |