hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Taint from FormattingFunction varargs.

Browse Source
This commit is contained in:
Geoffrey White
2020-01-28 14:04:53 +00:00
parent 8b215c155e
commit d66f608d41
5 changed files with 41 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
cpp/ql/src/semmle/code/cpp/models/interfaces/FormattingFunction.qll
View File

@@ -154,7 +154,13 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction {
override predicate hasArrayOutput(int bufParam) { bufParam = getOutputParameterIndex() }
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input.isParameterDeref(getFormatParameterIndex()) and
output.isParameterDeref(getOutputParameterIndex())
exists(int arg |
(
arg = getFormatParameterIndex() or
arg >= getFirstFormatArgumentIndex()
) and
input.isParameterDeref(arg) and
output.isParameterDeref(getOutputParameterIndex())
)
}
}