hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Fix use-after-cast bug in SimpleRangeAnalysis

Browse Source 
Like everywhere else in the range analysis, operands to comparison
operators must be considered in their fully-converted form.
This commit is contained in:
Jonas Jensen
2019-03-07 12:19:02 +01:00
parent ad61b4f55e
commit b827e7a1ea
3 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
cpp/ql/src/semmle/code/cpp/rangeanalysis/RangeAnalysisUtils.qll
View File

@@ -47,8 +47,8 @@ predicate relOp(
RelationalOperation rel, Expr lhs, Expr rhs,
RelationDirection dir, RelationStrictness strict
) {
lhs = rel.getLeftOperand() and
rhs = rel.getRightOperand() and
lhs = rel.getLeftOperand().getFullyConverted() and
rhs = rel.getRightOperand().getFullyConverted() and
((rel instanceof LTExpr and dir = Lesser() and strict = Strict()) or
(rel instanceof LEExpr and dir = Lesser() and strict = Nonstrict()) or
(rel instanceof GTExpr and dir = Greater() and strict = Strict()) or
@@ -104,8 +104,8 @@ predicate relOpWithSwapAndNegate(
*/
private
predicate eqOp(EqualityOperation cmp, Expr lhs, Expr rhs, boolean isEQ) {
lhs = cmp.getLeftOperand() and
rhs = cmp.getRightOperand() and
lhs = cmp.getLeftOperand().getFullyConverted() and
rhs = cmp.getRightOperand().getFullyConverted() and
((cmp instanceof EQExpr and isEQ = true) or
(cmp instanceof NEExpr and isEQ = false))
}