C++: new helper predicates in ScanfFunctionCall

Extract some of the logic from the `cpp/missing-check-scanf` query into
the more generally useful `getOutputArgument(int index)`, `getAnOutputArgument()`,
and `getNumberOfOutputArguments()` predicates.

Author: d10c

cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll

@@ -143,6 +143,28 @@ class ScanfFunctionCall extends FunctionCall {
    * (rather than a `char*`).
    */
   predicate isWideCharDefault() { this.getScanfFunction().isWideCharDefault() }
+
+  /**
+   * Gets the output argument at position `n` in the vararg list of this call.
+   *
+   * The range of `n` is from `0` to `this.getNumberOfOutputArguments() - 1`.
+   */
+  Expr getOutputArgument(int n) {
+    result = this.getArgument(this.getTarget().getNumberOfParameters() + n) and
+    n >= 0
+  }
+
+  /**
+   * Gets an output argument given to this call in vararg position.
+   */
+  Expr getAnOutputArgument() { result = this.getOutputArgument(_) }
+
+  /**
+   * Gets the number of output arguments present in this call.
+   */
+  int getNumberOfOutputArguments() {
+    result = this.getNumberOfArguments() - this.getTarget().getNumberOfParameters()
+  }
 }
 
 /**

cpp/ql/src/Critical/MissingCheckScanf.ql

@@ -25,8 +25,7 @@ class ScanfOutput extends Expr {
   ValueNumber valNum;
 
   ScanfOutput() {
-    this = call.getArgument(call.getTarget().getNumberOfParameters() + varargIndex) and
-    varargIndex >= 0 and
+    this = call.getOutputArgument(varargIndex) and
     instr.getUnconvertedResultExpression() = this and
     valueNumber(instr) = valNum and
     // The following line is a kludge to prohibit more than one associated `instr` field,