[DIFF-INFORMED] C++: CWE-190/ArithmeticTainted,etc.

cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql

@@ -106,6 +106,12 @@ module Config implements DataFlow::ConfigSig {
       not iTo instanceof PointerArithmeticInstruction
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(Expr e | result = e.getLocation() | isSink(sink, _, e))
+  }
 }
 
 module Flow = TaintTracking::Global<Config>;

cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql

@@ -120,6 +120,12 @@ module UncontrolledArithConfig implements DataFlow::ConfigSig {
     // block unintended flow to pointers
     node.asExpr().getUnspecifiedType() instanceof PointerType
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    result = getExpr(source).getLocation()
+  }
 }
 
 module UncontrolledArith = TaintTracking::Global<UncontrolledArithConfig>;

cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql

@@ -113,6 +113,12 @@ module Config implements DataFlow::ConfigSig {
       not iTo instanceof PointerArithmeticInstruction
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(VariableAccess va | result = va.getLocation() | isSink(sink, va, _))
+  }
 }
 
 module Flow = TaintTracking::Global<Config>;

cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql

@@ -91,6 +91,12 @@ module TaintedAllocationSizeConfig implements DataFlow::ConfigSig {
     // to duplicate results)
     any(HeuristicAllocationFunction f).getAParameter() = node.asParameter()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(Expr alloc | result = alloc.getLocation() | allocSink(alloc, sink))
+  }
 }
 
 module TaintedAllocationSize = TaintTracking::Global<TaintedAllocationSizeConfig>;