mirror of
https://github.com/github/codeql.git
synced 2025-12-22 11:46:32 +01:00
83f807f182
As a temporary workaround in the `DefaultTaintTracking` library, we funnel flow across calls by conflating pointer and object both at the caller and the callee. The three cases in `adjustedSink` were deleted because they are now covered by the one case for `ReadSideEffectInstruction` in `instructionTaintStep`. When enabling `DefaultTaintTracking`, this commit on top of #2736 has the effect effect of recovering two lost results: --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected @@ -1,2 +1,4 @@ | overflowdestination.cpp:30:2:30:8 | call to strncpy | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | | overflowdestination.cpp:46:2:46:7 | call to memcpy | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | +| overflowdestination.cpp:53:2:53:7 | call to memcpy | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | +| overflowdestination.cpp:64:2:64:7 | call to memcpy | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | In the internal repo, we recover one lost result. Additionally, there are two queries that gain an extra source for an existing sink. I'll classify that as noise. The new results look like this: foo(argv); // this `argv` is a new source for the sink in `bar` bar(argv); // this `argv` is the existing source for the sink in `bar`