CPP: Basic fix.

cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql

@@ -14,6 +14,7 @@
  *       external/cwe/cwe-122
  */
 import cpp
+import semmle.code.cpp.dataflow.DataFlow
 
 class MallocCall extends FunctionCall
 {
@@ -34,6 +35,12 @@ class MallocCall extends FunctionCall
 
 predicate terminationProblem(MallocCall malloc, string msg) {
   malloc.getAllocatedSize() instanceof StrlenCall and
+  not exists(DataFlow::Node def, DataFlow::Node use, FunctionCall fc |
+    DataFlow::localFlow(def, use) and
+    def.asExpr() = malloc and
+    use.asExpr() = fc.getArgument(0) and
+    fc.getTarget().hasName("memcpy")
+  ) and
   msg = "This allocation does not include space to null-terminate the string."
 }
 

cpp/ql/test/query-tests/Security/CWE/CWE-131/semmle/NoSpaceForZeroTerminator/NoSpaceForZeroTerminator.expected

@@ -1,5 +1,4 @@
 | test.c:15:20:15:25 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.c:29:20:29:25 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.c:44:20:44:25 | call to malloc | This allocation does not include space to null-terminate the string. |
-| test.c:72:17:72:22 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.cpp:18:35:18:40 | call to malloc | This allocation does not include space to null-terminate the string. |

cpp/ql/test/query-tests/Security/CWE/CWE-131/semmle/NoSpaceForZeroTerminator/test.c

@@ -67,7 +67,7 @@ void good3(char *str) {
 void *memcpy(void *s1, const void *s2, size_t n);
 
 void good4(char *str) {
-	// GOOD -- allocating a non zero-terminated string [FALSE POSITIVE]
+	// GOOD -- allocating a non zero-terminated string
 	int len = strlen(str);
 	char *buffer = malloc(len);