hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-20 22:44:52 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Simplify the definition of 'isNonConst'. On ImageMagick I get the same exact sources before and after.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2024-03-12 14:15:44 +00:00
parent 179a7d500e
commit 6a563c161e
1 changed files with 12 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
View File

@@ -109,35 +109,28 @@ predicate isNonConst(DataFlow::Node node) {
// i.e., functions that with unknown bodies and are not known to define the output through its input
// are considered as possible non-const sources
// The function's output must also not be const to be considered a non-const source
(
exists(Function func, CallInstruction call |
not func.hasDefinition() and
func = call.getStaticCallTarget()
|
// Case 1: It's a known dataflow or taintflow function with flow to the return value
exists(Function func, CallInstruction call |
call.getUnconvertedResultExpression() = node.asIndirectExpr() and
func = call.getStaticCallTarget() and
not exists(FunctionOutput output |
dataFlowOrTaintFlowFunction(func, output) and
output.isReturnValueDeref() and
node = callOutput(call, output)
)
call.getUnconvertedResultExpression() = node.asIndirectExpr() and
not exists(FunctionOutput output |
dataFlowOrTaintFlowFunction(func, output) and
output.isReturnValueDeref(_) and
node = callOutput(call, output)
)
or
// Case 1: It's a known dataflow or taintflow function with flow to an output parameter
exists(Function func, int i, CallInstruction call |
// Case 2: It's a known dataflow or taintflow function with flow to an output parameter
exists(int i |
call.getPositionalArgumentOperand(i).getDef().getUnconvertedResultExpression() =
node.asDefiningArgument() and
func = call.getStaticCallTarget() and
not exists(FunctionOutput output |
dataFlowOrTaintFlowFunction(func, output) and
output.isParameterDeref(i) and
output.isParameterDeref(i, _) and
node = callOutput(call, output)
)
)
) and
not exists(Call c |
c.getTarget().hasDefinition() and
if node instanceof DataFlow::DefinitionByReferenceNode
then c.getAnArgument() = node.asDefiningArgument()
else c = node.asIndirectExpr()
)
}