C++: Fix 'case 2' in 'destroyedToBeginSink' now that we're working with the sink instead of the source.

MathiasVP · MathiasVP · commit eb2790ae6349 · 2024-04-17T10:10:39.000+01:00
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-416/IteratorToExpiredContainer.ql b/cpp/ql/src/experimental/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
@@ -65,10 +65,11 @@ DataFlow::Node getADestroyedNode() {
       isPostUpdateOfQualifier(destructorCall, result)
     )
     or
+    // Case 2: Anything that was derived from the temporary that is now destroyed
+    // is also destroyed.
     exists(CallInstruction call |
       result.asInstruction() = call and
-      DataFlow::localFlow(destroyedTemp.getNode(),
-        DataFlow::operandNode(call.getThisArgumentOperand()))
+      DataFlow::localFlow(DataFlow::operandNode(call.getThisArgumentOperand()), n)
     |
       call.getStaticCallTarget() instanceof StdSequenceContainerAt or
       call.getStaticCallTarget() instanceof StdMapAt

Original file line number	Diff line number	Diff line change
`@@ -65,10 +65,11 @@ DataFlow::Node getADestroyedNode() {`
`65`	`65`	`isPostUpdateOfQualifier(destructorCall, result)`
`66`	`66`	`)`
`67`	`67`	`or`
	`68`	`+ // Case 2: Anything that was derived from the temporary that is now destroyed`
	`69`	`+ // is also destroyed.`
`68`	`70`	`exists(CallInstruction call \|`
`69`	`71`	`result.asInstruction() = call and`
`70`		`- DataFlow::localFlow(destroyedTemp.getNode(),`
`71`		`- DataFlow::operandNode(call.getThisArgumentOperand()))`
	`72`	`+ DataFlow::localFlow(DataFlow::operandNode(call.getThisArgumentOperand()), n)`
`72`	`73`	`\|`
`73`	`74`	`call.getStaticCallTarget() instanceof StdSequenceContainerAt or`
`74`	`75`	`call.getStaticCallTarget() instanceof StdMapAt`