hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Repair a few broken models that were incorrectly a pointer

Browse Source 
as tainted (instead of the pointee), or vice versa. Because of
existing dataflow pointer/pointee conflation we never noticed that,
but since this PR removes those imprecisions we now need to update
these models.
This commit is contained in:
Mathias Vorreiter Pedersen
2022-08-26 14:55:20 +01:00
parent 6d313ace2d
commit 5509562fe6
4 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll
View File

@@ -176,7 +176,7 @@ private class StdStringAppend extends TaintFunction {
) and
(
output.isQualifierObject() or
output.isReturnValueDeref()
output.isReturnValue()
)
or
// reverse flow from returned reference to the qualifier (for writes to
@@ -543,11 +543,11 @@ private class StdOStreamOutNonMember extends DataFlowFunction, TaintFunction {
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
// flow from second parameter to first parameter
input.isParameter(1) and
input.isParameterDeref(1) and
output.isParameterDeref(0)
or
// flow from second parameter to return value
input.isParameter(1) and
input.isParameterDeref(1) and
output.isReturnValueDeref()
or
// reverse flow from returned reference to the first parameter