CPP: Support flow of pointed-to things through function calls.

cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll

@@ -602,9 +602,14 @@ private predicate exprToExprStep_nocfg(Expr fromExpr, Expr toExpr) {
       exists(DataFlowFunction f, FunctionInput inModel, FunctionOutput outModel, int iIn |
         call.getTarget() = f and
         f.hasDataFlow(inModel, outModel) and
-        outModel.isReturnValue() and
-        inModel.isParameter(iIn) and
-        fromExpr = call.getArgument(iIn)
+        fromExpr = call.getArgument(iIn) and
+        (
+          inModel.isParameter(iIn) and
+          outModel.isReturnValue()
+          or
+          inModel.isParameterDeref(iIn) and
+          outModel.isReturnValueDeref()
+        )
       )
     )
 }