From d325082db31cb7590fc50e20926cb81e1fd893c2 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 21 Mar 2023 17:40:35 +0000
Subject: [PATCH] C++: Fix another place that assumed that 'Expr' was always
 'Instruction'.

---
 .../src/experimental/Likely Bugs/OverrunWriteProductFlow.ql   | 4 ++--
 .../Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql         | 2 +-
 .../experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql  | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/experimental/Likely Bugs/OverrunWriteProductFlow.ql b/cpp/ql/src/experimental/Likely Bugs/OverrunWriteProductFlow.ql
index 5e0d1d7b5bb..2cadfc12f04 100644
--- a/cpp/ql/src/experimental/Likely Bugs/OverrunWriteProductFlow.ql	
+++ b/cpp/ql/src/experimental/Likely Bugs/OverrunWriteProductFlow.ql	
@@ -24,7 +24,7 @@ import DataFlow::PathGraph
 
 pragma[nomagic]
 Instruction getABoundIn(SemBound b, IRFunction func) {
-  result = b.getExpr(0) and
+  getSemanticExpr(result) = b.getExpr(0) and
   result.getEnclosingIRFunction() = func
 }
 
@@ -110,7 +110,7 @@ class StringSizeConfiguration extends ProductFlow::Configuration {
       state1 = s1.toString() and
       state2 = s2.toString() and
       add.hasOperands(node1.asOperand(), op) and
-      semBounded(op.getDef(), any(SemZeroBound zero), delta, true, _) and
+      semBounded(getSemanticExpr(op.getDef()), any(SemZeroBound zero), delta, true, _) and
       node2.asInstruction() = add and
       s1 = s2 + delta
     )
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
index 35cce4a30da..7a10b2ac544 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
@@ -19,7 +19,7 @@ import PointerArithmeticToDerefFlow::PathGraph
 
 pragma[nomagic]
 Instruction getABoundIn(SemBound b, IRFunction func) {
-  result = b.getExpr(0) and
+  getSemanticExpr(result) = b.getExpr(0) and
   result.getEnclosingIRFunction() = func
 }
 
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql b/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
index 9cadcb505d0..069b5dc7108 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
@@ -24,7 +24,7 @@ import semmle.code.cpp.ir.IR
 
 pragma[nomagic]
 Instruction getABoundIn(SemBound b, IRFunction func) {
-  result = b.getExpr(0) and
+  getSemanticExpr(result) = b.getExpr(0) and
   result.getEnclosingIRFunction() = func
 }