hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Prune flow states based on 'PointerArithmeticToDerefConfig'.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2023-05-24 15:16:34 -07:00
parent 4ed7450689
commit 64d7b4923d
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
View File

@@ -78,7 +78,7 @@ predicate isInvalidPointerDerefSink2(DataFlow::Node sink, Instruction i, string
)
}
predicate pointerArithOverflow(
predicate pointerArithOverflow0(
PointerArithmeticInstruction pai, Field f, int size, int bound, int delta
) {
pai.getElementSize() = f.getUnspecifiedType().(ArrayType).getBaseType().getSize() and
@@ -89,7 +89,7 @@ predicate pointerArithOverflow(
module PointerArithmeticToDerefConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
pointerArithOverflow(source.asInstruction(), _, _, _, _)
pointerArithOverflow0(source.asInstruction(), _, _, _, _)
}
predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink1(sink, _, _) }
@@ -97,6 +97,13 @@ module PointerArithmeticToDerefConfig implements DataFlow::ConfigSig {
module PointerArithmeticToDerefFlow = DataFlow::Global<PointerArithmeticToDerefConfig>;
predicate pointerArithOverflow(
PointerArithmeticInstruction pai, Field f, int size, int bound, int delta
) {
pointerArithOverflow0(pai, f, size, bound, delta) and
PointerArithmeticToDerefFlow::flow(DataFlow::instructionNode(pai), _)
}
module FieldAddressToDerefConfig implements DataFlow::StateConfigSig {
newtype FlowState =
additional TArray(Field f) { pointerArithOverflow(_, f, _, _, _) } or