hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 04:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Repair a few broken models that were incorrectly a pointer

Browse Source 
as tainted (instead of the pointee), or vice versa. Because of
existing dataflow pointer/pointee conflation we never noticed that,
but since this PR removes those imprecisions we now need to update
these models.
This commit is contained in:
Mathias Vorreiter Pedersen
2022-08-26 14:55:20 +01:00
parent 6d313ace2d
commit 5509562fe6
4 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cpp/ql/lib/semmle/code/cpp/models/implementations/Iterator.qll
View File

@@ -223,7 +223,7 @@ private class IteratorCrementMemberOperator extends MemberFunction, DataFlowFunc
output.isQualifierObject()
or
input.isQualifierObject() and
output.isReturnValueDeref()
output.isReturnValue()
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {

2
cpp/ql/lib/semmle/code/cpp/models/implementations/StdContainer.qll
View File

@@ -176,7 +176,7 @@ private class StdSequenceContainerInsert extends TaintFunction {
) and
(
output.isQualifierObject() or
output.isReturnValueDeref()
output.isReturnValue()
)
}
}

6
cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll
View File

@@ -176,7 +176,7 @@ private class StdStringAppend extends TaintFunction {
) and
(
output.isQualifierObject() or
output.isReturnValueDeref()
output.isReturnValue()
)
or
// reverse flow from returned reference to the qualifier (for writes to
@@ -543,11 +543,11 @@ private class StdOStreamOutNonMember extends DataFlowFunction, TaintFunction {
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
// flow from second parameter to first parameter
input.isParameter(1) and
input.isParameterDeref(1) and
output.isParameterDeref(0)
or
// flow from second parameter to return value
input.isParameter(1) and
input.isParameterDeref(1) and
output.isReturnValueDeref()
or
// reverse flow from returned reference to the first parameter

2
cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll
View File

@@ -61,7 +61,7 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid
input.isParameterDeref(0) and
output.isParameterDeref(0)
or
input.isParameter(1) and
input.isParameterDeref(1) and
output.isParameterDeref(0)
}