hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 12:15:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Fix FP on CWE-193 by blocking flow through back-edges of phi nodes.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2022-09-27 14:44:47 +01:00
parent 0c79c2836c
commit e4305948ef
6 changed files with 86 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
View File

@@ -128,6 +128,10 @@ class AllocToInvalidPointerConf extends ProductFlow::Configuration {
state2 = delta.toString()
)
}
override predicate isBarrierOut2(DataFlow::Node node) {
node = any(DataFlow::SsaPhiNode phi).getAnInput(true)
}
}
pragma[nomagic]
@@ -154,11 +158,11 @@ predicate pointerAddInstructionHasOperands(
*/
pragma[nomagic]
predicate pointerAddInstructionHasBounds(
PointerAddInstruction pai, DataFlow::Node sink1, Instruction sink2, int delta
PointerAddInstruction pai, DataFlow::Node sink1, DataFlow::Node sink2, int delta
) {
exists(Instruction right |
pointerAddInstructionHasOperands(pai, sink1.asInstruction(), right) and
bounded(right, sink2, delta)
bounded(right, sink2.asInstruction(), delta)
)
}
@@ -171,7 +175,7 @@ predicate pointerAddInstructionHasBounds(
predicate isSinkImpl(
PointerAddInstruction pai, DataFlow::Node sink1, DataFlow::Node sink2, int delta
) {
pointerAddInstructionHasBounds(pai, sink1, sink2.asInstruction(), delta)
pointerAddInstructionHasBounds(pai, sink1, sink2, delta)
}
/**