C++: Fix Code Scanning errors.

MathiasVP · MathiasVP · commit 576f021c2523 · 2023-07-18T18:15:25.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll
@@ -2,7 +2,6 @@ private import cpp
 private import semmle.code.cpp.ir.dataflow.internal.ProductFlow
 private import semmle.code.cpp.ir.ValueNumbering
 private import semmle.code.cpp.controlflow.IRGuards
-private import semmle.code.cpp.ir.IR
 private import codeql.util.Unit
 private import RangeAnalysisUtil
 
diff --git a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll
@@ -2,7 +2,6 @@ private import cpp
 private import semmle.code.cpp.dataflow.new.DataFlow
 private import semmle.code.cpp.ir.ValueNumbering
 private import semmle.code.cpp.controlflow.IRGuards
-private import semmle.code.cpp.ir.IR
 private import AllocationToInvalidPointer as AllocToInvalidPointer
 private import RangeAnalysisUtil
 
@@ -174,7 +173,7 @@ private predicate derefSinkToOperation(
  * Holds if `allocation` is the result of an allocation that flows to the left-hand side of `pai`, and where
  * the right-hand side of `pai` is an offset such that the result of `pai` points to an out-of-bounds pointer.
  *
- * Futhermore, `derefSource` is at least as large as `pai` and flows to `derefSink` before being dereferenced
+ * Furthermore, `derefSource` is at least as large as `pai` and flows to `derefSink` before being dereferenced
  * by `operation` (which is either a `StoreInstruction` or `LoadInstruction`). The result is that `operation`
  * dereferences a pointer that's "off by `delta`" number of elements.
  */
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/AllocationToInvalidPointer.ql b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/AllocationToInvalidPointer.ql
@@ -8,8 +8,8 @@ module AllocationToInvalidPointerTest implements TestSig {
   string getARelevantTag() { result = "alloc" }
 
   predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(DataFlow::Node allocation, PointerAddInstruction pai, DataFlow::Node sink1, int delta |
-      pointerAddInstructionHasBounds(allocation, pai, sink1, delta) and
+    exists(DataFlow::Node allocation, PointerAddInstruction pai, int delta |
+      pointerAddInstructionHasBounds(allocation, pai, _, delta) and
       location = pai.getLocation() and
       element = pai.toString() and
       tag = "alloc"
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerToDereference.ql b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerToDereference.ql
@@ -48,10 +48,10 @@ module InvalidPointerToDereferenceTest implements TestSig {
 
   predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(
-      PointerArithmeticInstruction pai, DataFlow::Node derefSource, DataFlow::Node derefSink,
-      DataFlow::Node operation, int delta, string value1, string value2
+      DataFlow::Node derefSource, DataFlow::Node derefSink, DataFlow::Node operation, int delta,
+      string value1, string value2
     |
-      operationIsOffBy(_, pai, derefSource, derefSink, _, operation, delta) and
+      operationIsOffBy(_, _, derefSource, derefSink, _, operation, delta) and
       location = operation.getLocation() and
       element = operation.toString() and
       tag = "deref" and
