mirror of
https://github.com/github/codeql.git
synced 2026-04-21 06:55:31 +02:00
C++: restore flow for non-class partial reads
This would otherwise have lost a good qltest result at CWE-134/semmle/funcs/funcsLocal.c:58:9:58:10
This commit is contained in:
@@ -199,6 +199,17 @@ private predicate instructionTaintStep(Instruction i1, Instruction i2) {
|
||||
// Flow through pointer dereference
|
||||
i2.(LoadInstruction).getSourceAddress() = i1
|
||||
or
|
||||
// Flow through partial reads of arrays, unions, and pointer parameters
|
||||
// TODO: `UnknownType` includes *all* pointer parameters. We only want
|
||||
// array-like pointer parameters
|
||||
i2.(LoadInstruction).getSourceValueOperand().getAnyDef() = i1 and
|
||||
not i1.isResultConflated() and
|
||||
(
|
||||
i1.getResultType() instanceof ArrayType or
|
||||
i1.getResultType() instanceof UnknownType or
|
||||
i1.getResultType() instanceof Union
|
||||
)
|
||||
or
|
||||
// Unary instructions tend to preserve enough information in practice that we
|
||||
// want taint to flow through.
|
||||
// The exception is `FieldAddressInstruction`. Together with the rule for
|
||||
|
||||
Reference in New Issue
Block a user