diff --git a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll index 50e13945e29..eb9eb9e8b73 100644 --- a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll +++ b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll @@ -2,7 +2,6 @@ private import cpp private import semmle.code.cpp.ir.dataflow.internal.ProductFlow private import semmle.code.cpp.ir.ValueNumbering private import semmle.code.cpp.controlflow.IRGuards -private import semmle.code.cpp.ir.IR private import codeql.util.Unit private import RangeAnalysisUtil diff --git a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll index 4aacce01acc..cbb2ff1f3d3 100644 --- a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll +++ b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll @@ -2,7 +2,6 @@ private import cpp private import semmle.code.cpp.dataflow.new.DataFlow private import semmle.code.cpp.ir.ValueNumbering private import semmle.code.cpp.controlflow.IRGuards -private import semmle.code.cpp.ir.IR private import AllocationToInvalidPointer as AllocToInvalidPointer private import RangeAnalysisUtil @@ -174,7 +173,7 @@ private predicate derefSinkToOperation( * Holds if `allocation` is the result of an allocation that flows to the left-hand side of `pai`, and where * the right-hand side of `pai` is an offset such that the result of `pai` points to an out-of-bounds pointer. * - * Futhermore, `derefSource` is at least as large as `pai` and flows to `derefSink` before being dereferenced + * Furthermore, `derefSource` is at least as large as `pai` and flows to `derefSink` before being dereferenced * by `operation` (which is either a `StoreInstruction` or `LoadInstruction`). The result is that `operation` * dereferences a pointer that's "off by `delta`" number of elements. */ diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/AllocationToInvalidPointer.ql b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/AllocationToInvalidPointer.ql index 50ef96903ac..50baab4bfa7 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/AllocationToInvalidPointer.ql +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/AllocationToInvalidPointer.ql @@ -8,8 +8,8 @@ module AllocationToInvalidPointerTest implements TestSig { string getARelevantTag() { result = "alloc" } predicate hasActualResult(Location location, string element, string tag, string value) { - exists(DataFlow::Node allocation, PointerAddInstruction pai, DataFlow::Node sink1, int delta | - pointerAddInstructionHasBounds(allocation, pai, sink1, delta) and + exists(DataFlow::Node allocation, PointerAddInstruction pai, int delta | + pointerAddInstructionHasBounds(allocation, pai, _, delta) and location = pai.getLocation() and element = pai.toString() and tag = "alloc" diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerToDereference.ql b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerToDereference.ql index b97abdf8838..c4d9be5cb8b 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerToDereference.ql +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerToDereference.ql @@ -48,10 +48,10 @@ module InvalidPointerToDereferenceTest implements TestSig { predicate hasActualResult(Location location, string element, string tag, string value) { exists( - PointerArithmeticInstruction pai, DataFlow::Node derefSource, DataFlow::Node derefSink, - DataFlow::Node operation, int delta, string value1, string value2 + DataFlow::Node derefSource, DataFlow::Node derefSink, DataFlow::Node operation, int delta, + string value1, string value2 | - operationIsOffBy(_, pai, derefSource, derefSink, _, operation, delta) and + operationIsOffBy(_, _, derefSource, derefSink, _, operation, delta) and location = operation.getLocation() and element = operation.toString() and tag = "deref" and