hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

CPP: Alter the dataflow case.

Browse Source
This commit is contained in:
Geoffrey White
2018-10-05 18:37:05 +01:00
parent 8ab830f21c
commit 8163def3ae
1 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
cpp/ql/src/semmle/code/cpp/commons/Buffer.qll
View File

@@ -48,6 +48,7 @@ predicate memberMayBeVarSize(Class c, MemberVariable v) {
/**
* Get the size in bytes of the buffer pointed to by an expression (if this can be determined).
*/
language[monotonicAggregates]
int getBufferSize(Expr bufferExpr, Element why) {
exists(Variable bufferVar | bufferVar = bufferExpr.(VariableAccess).getTarget() |
(
@@ -82,16 +83,19 @@ int getBufferSize(Expr bufferExpr, Element why) {
why = bufferExpr
) or (
// dataflow (all sources must be the same size)
forex(Expr def |
result = min(Expr def |
DataFlow::localFlowStep(DataFlow::exprNode(def), DataFlow::exprNode(bufferExpr)) |
result = getBufferSize(def, _)
getBufferSize(def, _)
) and result = max(Expr def |
DataFlow::localFlowStep(DataFlow::exprNode(def), DataFlow::exprNode(bufferExpr)) |
getBufferSize(def, _)
) and
// find reason
exists(Expr def |
DataFlow::localFlowStep(DataFlow::exprNode(def), DataFlow::exprNode(bufferExpr)) |
why = def or
result = getBufferSize(def, why)
exists(getBufferSize(def, why))
)
) or exists(Type bufferType |
// buffer is the address of a variable