C++: Mark fprintf and friends as a partial write of the stream argument.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll

@@ -170,6 +170,16 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction {
       output.isParameterDeref(this.getOutputParameterIndex(_))
     )
   }
+
+  final override predicate isPartialWrite(FunctionOutput output) {
+    exists(int outputParameterIndex |
+      output.isParameterDeref(outputParameterIndex) and
+      // We require the output to be a stream since that definitely means that
+      // it's a partial write. If it's not a stream then it will most likely
+      // fill the whole buffer.
+      outputParameterIndex = this.getOutputParameterIndex(true)
+    )
+  }
 }
 
 /**

cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp

@@ -840,6 +840,6 @@ int f7(void)
 {
   FILE* fp = (FILE*)indirect_source();
   fprintf(fp, "");
-	indirect_sink(fp); // $ MISSING: ast,ir
+	indirect_sink(fp); // $ ir MISSING: ast
   return 0;
 }