C++: Add GOOD and BAD comments to qhelp examples.

MathiasVP · MathiasVP · commit 351caaccfe59 · 2023-11-29T09:44:54.000Z
diff --git a/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEndsBad.cpp b/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEndsBad.cpp
@@ -1,6 +1,8 @@
 #include <string>
 void work(const char*);
 
+// BAD: the concatenated string is deallocated when `c_str` returns. So `work`
+// is given a pointer to invalid memory.
 void work_with_combined_string_bad(std::string s1, std::string s2) {
   const char* combined_string = (s1 + s2).c_str();
   work(combined_string);
diff --git a/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEndsGood.cpp b/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEndsGood.cpp
@@ -1,6 +1,8 @@
 #include <string>
 void work(const char*);
 
+// GOOD: the concatenated string outlives the call to `work`. So the pointer
+// obtainted from `c_str` is valid.
 void work_with_combined_string_good(std::string s1, std::string s2) {
   auto combined_string = s1 + s2;
   work(combined_string.c_str());
