Merge pull request #7593 from MathiasVP/fix-join-order-in-get-conversion-type

MathiasVP · web-flow · commit 78642aaae21b · 2022-01-17T11:01:08.000Z
C++: Fix join order in 'getConversionType4'
diff --git a/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll b/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
@@ -382,6 +382,9 @@ private int lengthInBase10(float f) {
   result = f.log10().floor() + 1
 }
 
+pragma[nomagic]
+private predicate isPointerTypeWithBase(Type base, PointerType pt) { base = pt.getBaseType() }
+
 bindingset[expr]
 private BufferWriteEstimationReason getEstimationReasonForIntegralExpression(Expr expr) {
   // we consider the range analysis non trivial if it
@@ -962,19 +965,19 @@ class FormatLiteral extends Literal {
       (
         conv = ["s", "S"] and
         len = "h" and
-        result.(PointerType).getBaseType() instanceof PlainCharType
+        isPointerTypeWithBase(any(PlainCharType plainCharType), result)
         or
         conv = ["s", "S"] and
         len = ["l", "w"] and
-        result.(PointerType).getBaseType() = this.getWideCharType()
+        isPointerTypeWithBase(this.getWideCharType(), result)
         or
         conv = "s" and
         (len != "l" and len != "w" and len != "h") and
-        result.(PointerType).getBaseType() = this.getDefaultCharType()
+        isPointerTypeWithBase(this.getDefaultCharType(), result)
         or
         conv = "S" and
         (len != "l" and len != "w" and len != "h") and
-        result.(PointerType).getBaseType() = this.getNonDefaultCharType()
+        isPointerTypeWithBase(this.getNonDefaultCharType(), result)
       )
     )
   }
