C++: Fixup queries to keep the old results.

2026-05-04 13:15:21 +02:00 · 2023-11-20 18:07:39 +00:00
parent ef2caa3944
commit 976adc3c7c
3 changed files with 9 additions and 4 deletions
--- a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
@@ -35,10 +35,15 @@ predicate isSource(FS::FlowSource source, string sourceType) { sourceType = sour

 predicate isSink(DataFlow::Node sink, string kind) {
  exists(Expr use |
-    use = sink.asExpr() and
    not use.getUnspecifiedType() instanceof PointerType and
    outOfBoundsExpr(use, kind) and
    not inSystemMacroExpansion(use)
+  |
+    if
+      sink.asDefinition() instanceof CrementOperation or
+      sink.asDefinition() instanceof AssignOperation
+    then use = sink.asDefinition()
+    else use = sink.asExpr()
  )
 }

--- a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
@@ -60,7 +60,7 @@ module TaintedAllocationSizeConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { allocSink(_, sink) }

  predicate isBarrier(DataFlow::Node node) {
-    exists(Expr e | e = node.asExpr() |
+    exists(Expr e | e = [node.asExpr(), node.asDefinition()] |
      // There can be two separate reasons for `convertedExprMightOverflow` not holding:
      // 1. `e` really cannot overflow.
      // 2. `e` isn't analyzable.