From 53dbfcb3aa6dc75871474e1f9538e2f582ea7a43 Mon Sep 17 00:00:00 2001
From: Asger F <asgerf@github.com>
Date: Tue, 26 Sep 2023 10:29:19 +0200
Subject: [PATCH 1/2] C++: use in/out barriers with flow state

---
 cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql                | 4 ++--
 .../Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql         | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
index 0686c4a707c6..f56064a12207 100644
--- a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
@@ -134,8 +134,8 @@ module ExecTaintConfig implements DataFlow::StateConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { isBarrierImpl(node) }
 
-  predicate isBarrierOut(DataFlow::Node node) {
-    isSink(node, _) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
+  predicate isBarrierOut(DataFlow::Node node, FlowState state) {
+    isSink(node, state) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
   }
 }
 
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
index c38a012b27bf..018974419a54 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
@@ -168,9 +168,9 @@ module ArrayAddressToDerefConfig implements DataFlow::StateConfigSig {
     )
   }
 
-  predicate isBarrierIn(DataFlow::Node node) { isSource(node, _) }
+  predicate isBarrierIn(DataFlow::Node node, FlowState state) { isSource(node, state) }
 
-  predicate isBarrierOut(DataFlow::Node node) { isSink(node, _) }
+  predicate isBarrierOut(DataFlow::Node node, FlowState state) { isSink(node, state) }
 
   predicate isAdditionalFlowStep(
     DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2

From 75786e9a7138125e567a56537c33dd635aee7a84 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 26 Aug 2025 10:43:54 +0200
Subject: [PATCH 2/2] C++: Revert changes to `cpp/constant-array-overflow`

It is not clear that this does what we want here, and the query is severly
broken in any case.
---
 .../Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
index c74936e7367b..b7b2de6000ae 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
@@ -168,9 +168,9 @@ module ArrayAddressToDerefConfig implements DataFlow::StateConfigSig {
     )
   }
 
-  predicate isBarrierIn(DataFlow::Node node, FlowState state) { isSource(node, state) }
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node, _) }
 
-  predicate isBarrierOut(DataFlow::Node node, FlowState state) { isSink(node, state) }
+  predicate isBarrierOut(DataFlow::Node node) { isSink(node, _) }
 
   predicate isAdditionalFlowStep(
     DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2