hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Fix join order in 'cpp/unsafe-strncat'.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2023-03-31 21:33:28 +01:00
parent 2b9daed26a
commit e5700e07c7
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
View File

@@ -48,11 +48,11 @@ predicate case1(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
* Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination
* argument `destArg`, and `sizeArg` computes the value `sizeof (dest) - strlen (dest)`.
*/
predicate case2(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
interestingCallWithArgs(fc, sizeArg, destArg) and
predicate case2(FunctionCall fc, Expr sizeArg, Expr destArg) {
interestingCallWithArgs(fc, pragma[only_bind_into](sizeArg), pragma[only_bind_into](destArg)) and
exists(SubExpr sub, int n |
// The destination buffer is an array of size n
destArg.getUnspecifiedType().(ArrayType).getSize() = n and
pragma[only_bind_out](destArg.getUnspecifiedType().(ArrayType).getSize()) = n and
// The size argument is equivalent to a subtraction
globalValueNumber(sizeArg).getAnExpr() = sub and
// ... where the left side of the subtraction is the constant n