hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 04:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Fix spurious results in default taint tracking

Browse Source
This commit is contained in:
Jeroen Ketema
2023-01-16 19:00:46 +01:00
parent 2aace0df2c
commit a892ae8764
5 changed files with 12 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
View File

@@ -46,8 +46,10 @@ predicate hasUpperBoundsCheck(Variable var) {
}
predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {
readsVariable(node.asInstruction(), checkedVar) and
any(IRGuardCondition guard).ensuresEq(access, _, _, node.asInstruction().getBlock(), true)
exists(Instruction instr | instr = node.asOperand().getDef() |
readsVariable(instr, checkedVar) and
any(IRGuardCondition guard).ensuresEq(access, _, _, instr.getBlock(), true)
)
}
predicate isFlowSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }
@@ -79,8 +81,8 @@ class TaintedAllocationSizeConfiguration extends TaintTracking::Configuration {
e = any(PointerDiffExpr diff).getAnOperand()
)
or
exists(Variable checkedVar |
node.asExpr().(VariableAccess).getTarget() = checkedVar and
exists(Variable checkedVar, Instruction instr | instr = node.asOperand().getDef() |
readsVariable(instr, checkedVar) and
hasUpperBoundsCheck(checkedVar)
)
or