hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Use 'arrayTypeCand' in 'isSourceImpl' instead of checking for array size explicitly.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2023-06-26 11:37:35 +01:00
parent 3b4f2b22d6
commit d68b0605cd
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
View File

@@ -78,7 +78,10 @@ predicate isInvalidPointerDerefSink2(DataFlow::Node sink, Instruction i, string
) )
} }
predicate arrayTypeCand(ArrayType arrayType) { any(Variable v).getUnspecifiedType() = arrayType } predicate arrayTypeCand(ArrayType arrayType) {
any(Variable v).getUnspecifiedType() = arrayType and
exists(arrayType.getArraySize())
}
pragma[nomagic] pragma[nomagic]
predicate arrayTypeHasSizes(ArrayType arr, int baseTypeSize, int arraySize) { predicate arrayTypeHasSizes(ArrayType arr, int baseTypeSize, int arraySize) {
@@ -143,7 +146,7 @@ predicate isSourceImpl(DataFlow::Node source, Variable v) {
or or
source.asInstruction().(VariableAddressInstruction).getAstVariable() = v source.asInstruction().(VariableAddressInstruction).getAstVariable() = v
) and ) and
exists(v.getUnspecifiedType().(ArrayType).getArraySize()) arrayTypeCand(v.getUnspecifiedType())
} }
module ArrayAddressToDerefConfig implements DataFlow::StateConfigSig { module ArrayAddressToDerefConfig implements DataFlow::StateConfigSig {