Skip to content

Commit 1e699ec

Browse files
MathiasVPMathiasVP
committed
C++: Simplify 'InvalidPointerToDereference.qll' now that the difference between 'derefSource' and 'pai' is always 0.
1 parent c8edf31 commit 1e699ec

File tree

1 file changed

+12
-20
lines changed

1 file changed

+12
-20
lines changed

cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll

Lines changed: 12 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -96,7 +96,7 @@ int invalidPointerToDereferenceFieldFlowBranchLimit() { result = 0 }
9696
private module InvalidPointerToDerefBarrier {
9797
private module BarrierConfig implements DataFlow::ConfigSig {
9898
additional predicate isSource(DataFlow::Node source, PointerArithmeticInstruction pai) {
99-
invalidPointerToDerefSource(_, pai, _, _) and
99+
invalidPointerToDerefSource(_, pai, _) and
100100
// source <= pai
101101
bounded2(source.asInstruction(), pai, any(int d | d <= 0))
102102
}
@@ -169,11 +169,11 @@ private module InvalidPointerToDerefBarrier {
169169
*/
170170
private module InvalidPointerToDerefConfig implements DataFlow::StateConfigSig {
171171
class FlowState extends PointerArithmeticInstruction {
172-
FlowState() { invalidPointerToDerefSource(_, this, _, _) }
172+
FlowState() { invalidPointerToDerefSource(_, this, _) }
173173
}
174174

175175
predicate isSource(DataFlow::Node source, FlowState pai) {
176-
invalidPointerToDerefSource(_, pai, source, _)
176+
invalidPointerToDerefSource(_, pai, source)
177177
}
178178

179179
pragma[inline]
@@ -201,16 +201,14 @@ private import DataFlow::GlobalWithState<InvalidPointerToDerefConfig>
201201
* left-hand side of the pointer-arithmetic instruction represented by `derefSource`.
202202
*/
203203
private predicate invalidPointerToDerefSource(
204-
DataFlow::Node allocSource, PointerArithmeticInstruction pai, DataFlow::Node derefSource,
205-
int deltaDerefSourceAndPai
204+
DataFlow::Node allocSource, PointerArithmeticInstruction pai, DataFlow::Node derefSource
206205
) {
207206
// Note that `deltaDerefSourceAndPai` is not necessarily equal to `rhsSizeDelta`:
208207
// `rhsSizeDelta` is the constant offset added to the size of the allocation, and
209208
// `deltaDerefSourceAndPai` is the constant difference between the pointer-arithmetic instruction
210209
// and the instruction computing the address for which we will search for a dereference.
211210
AllocToInvalidPointer::pointerAddInstructionHasBounds(allocSource, pai, _, _) and
212-
derefSource.asInstruction() = pai and
213-
deltaDerefSourceAndPai = 0
211+
derefSource.asInstruction() = pai
214212
}
215213

216214
/**
@@ -253,11 +251,9 @@ private Instruction getASuccessor(Instruction instr) {
253251
instr.getBlock().getASuccessor+() = result.getBlock()
254252
}
255253

256-
private predicate paiForDereferenceSink(
257-
PointerArithmeticInstruction pai, DataFlow::Node derefSink, int deltaDerefSourceAndPai
258-
) {
254+
private predicate paiForDereferenceSink(PointerArithmeticInstruction pai, DataFlow::Node derefSink) {
259255
exists(DataFlow::Node derefSource |
260-
invalidPointerToDerefSource(_, pai, derefSource, deltaDerefSourceAndPai) and
256+
invalidPointerToDerefSource(_, pai, derefSource) and
261257
flow(derefSource, derefSink)
262258
)
263259
}
@@ -269,10 +265,10 @@ private predicate paiForDereferenceSink(
269265
*/
270266
private predicate derefSinkToOperation(
271267
DataFlow::Node derefSink, PointerArithmeticInstruction pai, DataFlow::Node operation,
272-
string description, int deltaDerefSourceAndPai, int deltaDerefSinkAndDerefAddress
268+
string description, int deltaDerefSinkAndDerefAddress
273269
) {
274270
exists(Instruction operationInstr, AddressOperand addr |
275-
paiForDereferenceSink(pai, pragma[only_bind_into](derefSink), deltaDerefSourceAndPai) and
271+
paiForDereferenceSink(pai, pragma[only_bind_into](derefSink)) and
276272
isInvalidPointerDerefSink(derefSink, addr, operationInstr, description,
277273
deltaDerefSinkAndDerefAddress) and
278274
operationInstr = getASuccessor(derefSink.asInstruction()) and
@@ -293,11 +289,7 @@ predicate operationIsOffBy(
293289
DataFlow::Node allocation, PointerArithmeticInstruction pai, DataFlow::Node derefSource,
294290
DataFlow::Node derefSink, string description, DataFlow::Node operation, int delta
295291
) {
296-
exists(int deltaDerefSourceAndPai, int deltaDerefSinkAndDerefAddress |
297-
invalidPointerToDerefSource(allocation, pai, derefSource, deltaDerefSourceAndPai) and
298-
flow(derefSource, derefSink) and
299-
derefSinkToOperation(derefSink, pai, operation, description, deltaDerefSourceAndPai,
300-
deltaDerefSinkAndDerefAddress) and
301-
delta = deltaDerefSourceAndPai + deltaDerefSinkAndDerefAddress
302-
)
292+
invalidPointerToDerefSource(allocation, pai, derefSource) and
293+
flow(derefSource, derefSink) and
294+
derefSinkToOperation(derefSink, pai, operation, description, delta)
303295
}

0 commit comments

Comments
 (0)