From a669fa4aa1170dd739220d1ac53fd4eaf129ef69 Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Fri, 21 Aug 2020 15:35:00 +0100
Subject: [PATCH] Do not flow taint through remainder expressions

If the tainted operand is the first operand then it is being bounded above
by the remainder expression. If it is the second operand then
---
 .../go/security/AllocationSizeOverflowCustomizations.qll     | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ql/src/semmle/go/security/AllocationSizeOverflowCustomizations.qll b/ql/src/semmle/go/security/AllocationSizeOverflowCustomizations.qll
index f99851a3504..dffd5ac098e 100644
--- a/ql/src/semmle/go/security/AllocationSizeOverflowCustomizations.qll
+++ b/ql/src/semmle/go/security/AllocationSizeOverflowCustomizations.qll
@@ -175,7 +175,7 @@ module AllocationSizeOverflow {
 
   /**
    * Holds if the value of `pred` can flow into `succ` in one step, either through a call to `len`
-   * or through an arithmetic operation.
+   * or through an arithmetic operation (other than remainder).
    */
   predicate additionalStep(DataFlow::Node pred, DataFlow::Node succ) {
     exists(DataFlow::CallNode c |
@@ -184,7 +184,8 @@ module AllocationSizeOverflow {
       succ = c
     )
     or
-    succ.asExpr().(ArithmeticExpr).getAnOperand() = pred.asExpr()
+    succ.asExpr().(ArithmeticExpr).getAnOperand() = pred.asExpr() and
+    not succ.asExpr() instanceof RemExpr
   }
 
   /**