hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Use the pruning stage in the product-flow configuration.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2023-06-29 16:50:57 +01:00
parent f8b1dc9f59
commit 59d9c6e3f2
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql
View File

@@ -120,6 +120,10 @@ module ValidState {
predicate isBarrier(DataFlow::Node node, FlowState state) { none() } predicate isBarrier(DataFlow::Node node, FlowState state) { none() }
predicate isBarrierOut(DataFlow::Node node) {
node = any(DataFlow::SsaPhiNode phi).getAnInput(true)
}
predicate isAdditionalFlowStep( predicate isAdditionalFlowStep(
DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2 DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
) { ) {
@@ -233,7 +237,8 @@ module StringSizeConfig implements ProductFlow::StateConfigSig {
// we use `state2` to remember that there was an offset (in this case an offset of `1`) added // we use `state2` to remember that there was an offset (in this case an offset of `1`) added
// to the size of the allocation. This state is then checked in `isSinkPair`. // to the size of the allocation. This state is then checked in `isSinkPair`.
exists(state1) and exists(state1) and
hasSize(bufSource.asConvertedExpr(), sizeSource, state2) hasSize(bufSource.asConvertedExpr(), sizeSource, state2) and
validState(sizeSource, state2)
} }
predicate isSinkPair( predicate isSinkPair(