CPP: Move 'baseType' into IncorrectPointerScalingCommon.qll.

cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql

@@ -13,24 +13,6 @@ import cpp
 import semmle.code.cpp.controlflow.SSA
 import IncorrectPointerScalingCommon
 
-private Type baseType(Type t) {
-  (
-    exists (PointerType dt
-    | dt = t.getUnspecifiedType() and
-      result = dt.getBaseType().getUnspecifiedType()) or
-    exists (ArrayType at
-    | at = t.getUnspecifiedType() and
-      (not at.getBaseType().getUnspecifiedType() instanceof ArrayType) and
-      result = at.getBaseType().getUnspecifiedType()) or
-    exists (ArrayType at, ArrayType at2
-    | at = t.getUnspecifiedType() and
-      at2 = at.getBaseType().getUnspecifiedType() and
-      result = baseType(at2))
-  )
-  // Make sure that the type has a size and that it isn't ambiguous.  
-  and strictcount(result.getSize()) = 1
-}
-
 from Expr dest, Type destType, Type sourceType, Type sourceBase,
      Type destBase, Location sourceLoc
 where exists(pointerArithmeticParent(dest))

cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql

@@ -13,24 +13,6 @@ import cpp
 import semmle.code.cpp.controlflow.SSA
 import IncorrectPointerScalingCommon
 
-private Type baseType(Type t) {
-  (
-    exists (PointerType dt
-    | dt = t.getUnspecifiedType() and
-      result = dt.getBaseType().getUnspecifiedType()) or
-    exists (ArrayType at
-    | at = t.getUnspecifiedType() and
-      (not at.getBaseType().getUnspecifiedType() instanceof ArrayType) and
-      result = at.getBaseType().getUnspecifiedType()) or
-    exists (ArrayType at, ArrayType at2
-    | at = t.getUnspecifiedType() and
-      at2 = at.getBaseType().getUnspecifiedType() and
-      result = baseType(at2))
-  )
-  // Make sure that the type has a size and that it isn't ambiguous.  
-  and strictcount(result.getSize()) = 1
-}
-
 from Expr dest, Type destType, Type sourceType, Type sourceBase,
      Type destBase, Location sourceLoc
 where exists(pointerArithmeticParent(dest))

cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingCommon.qll

@@ -55,6 +55,28 @@ predicate isPointerType(Type t) {
   t instanceof ArrayType
 }
 
+/**
+ * Gets the base type of a pointer or array type.  In the case of an array of
+ * arrays, the inner base type is returned.
+ */
+Type baseType(Type t) {
+  (
+    exists (PointerType dt
+    | dt = t.getUnspecifiedType() and
+      result = dt.getBaseType().getUnspecifiedType()) or
+    exists (ArrayType at
+    | at = t.getUnspecifiedType() and
+      (not at.getBaseType().getUnspecifiedType() instanceof ArrayType) and
+      result = at.getBaseType().getUnspecifiedType()) or
+    exists (ArrayType at, ArrayType at2
+    | at = t.getUnspecifiedType() and
+      at2 = at.getBaseType().getUnspecifiedType() and
+      result = baseType(at2))
+  )
+  // Make sure that the type has a size and that it isn't ambiguous.  
+  and strictcount(result.getSize()) = 1
+}
+
 /**
  * Holds if there is a pointer expression with type `sourceType` at
  * location `sourceLoc` which might be the source expression for `use`.

cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql

@@ -13,24 +13,6 @@ import cpp
 import semmle.code.cpp.controlflow.SSA
 import IncorrectPointerScalingCommon
 
-private Type baseType(Type t) {
-  (
-    exists (PointerType dt
-    | dt = t.getUnspecifiedType() and
-      result = dt.getBaseType().getUnspecifiedType()) or
-    exists (ArrayType at
-    | at = t.getUnspecifiedType() and
-      (not at.getBaseType().getUnspecifiedType() instanceof ArrayType) and
-      result = at.getBaseType().getUnspecifiedType()) or
-    exists (ArrayType at, ArrayType at2
-    | at = t.getUnspecifiedType() and
-      at2 = at.getBaseType().getUnspecifiedType() and
-      result = baseType(at2))
-  )
-  // Make sure that the type has a size and that it isn't ambiguous.  
-  and strictcount(result.getSize()) = 1
-}
-
 from Expr dest, Type destType, Type sourceType, Type sourceBase,
      Type destBase, Location sourceLoc
 where exists(pointerArithmeticParent(dest))