Merge pull request #1967 from jbj/tainttracking-ir-2

C++: DefaultTaintTracking flow from a to a[i]
2026-05-03 04:39:29 +02:00 · 2019-09-19 15:00:29 -07:00
parent 9c6a0ffc48 29c93488bc
commit d3f2d8169e
1 changed files with 4 additions and 4 deletions
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
@@ -90,10 +90,10 @@ private predicate instructionTaintStep(Instruction i1, Instruction i2) {
    predictableInstruction(i2.getAnOperand().getDef()) and
    i1 = i2.getAnOperand().getDef()
  )
-  // TODO: Check that we have flow from `a` to `a[i]`. It may work for constant
-  // `i` because there is flow through `predictable` `BinaryInstruction` and
-  // through `LoadInstruction`.
-  //
+  or
+  // This is part of the translation of `a[i]`, where we want taint to flow
+  // from `a`.
+  i2.(PointerAddInstruction).getLeft() = i1
  // TODO: Flow from argument to return of known functions: Port missing parts
  // of `returnArgument` to the `interfaces.Taint` and `interfaces.DataFlow`
  // libraries.