C++: Address review comments.

MathiasVP · MathiasVP · commit 0db54e08b8a5 · 2021-02-02T10:48:07.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Sscanf.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Sscanf.qll
@@ -19,7 +19,8 @@ private class SscanfModel extends ArrayFunction, TaintFunction, AliasFunction, S
   override predicate hasArrayWithNullTerminator(int bufParam) {
     bufParam = this.(ScanfFunction).getFormatParameterIndex()
     or
-    bufParam = this.(Sscanf).getInputParameterIndex()
+    not this instanceof Fscanf and
+    bufParam = this.(ScanfFunction).getInputParameterIndex()
   }
 
   override predicate hasArrayInput(int bufParam) { hasArrayWithNullTerminator(bufParam) }
@@ -35,16 +36,10 @@ private class SscanfModel extends ArrayFunction, TaintFunction, AliasFunction, S
     )
   }
 
-  private int getArgsStartPosition() {
-    exists(int nLength, int nLocale |
-      (if exists(getLocaleParameterIndex()) then nLocale = 1 else nLocale = 0) and
-      (if exists(getLengthParameterIndex()) then nLength = 1 else nLength = 0) and
-      result = 2 + nLocale + nLength
-    )
-  }
+  private int getArgsStartPosition() { result = this.getNumberOfParameters() }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isParameterDeref(0) and
+    input.isParameterDeref(this.(ScanfFunction).getInputParameterIndex()) and
     output.isParameterDeref(any(int i | i >= getArgsStartPosition()))
   }
 

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,8 @@ private class SscanfModel extends ArrayFunction, TaintFunction, AliasFunction, S`
`19`	`19`	`override predicate hasArrayWithNullTerminator(int bufParam) {`
`20`	`20`	`bufParam = this.(ScanfFunction).getFormatParameterIndex()`
`21`	`21`	`or`
`22`		`- bufParam = this.(Sscanf).getInputParameterIndex()`
	`22`	`+ not this instanceof Fscanf and`
	`23`	`+ bufParam = this.(ScanfFunction).getInputParameterIndex()`
`23`	`24`	`}`
`24`	`25`
`25`	`26`	`override predicate hasArrayInput(int bufParam) { hasArrayWithNullTerminator(bufParam) }`
`@@ -35,16 +36,10 @@ private class SscanfModel extends ArrayFunction, TaintFunction, AliasFunction, S`
`35`	`36`	`)`
`36`	`37`	`}`
`37`	`38`
`38`		`- private int getArgsStartPosition() {`
`39`		`- exists(int nLength, int nLocale \|`
`40`		`- (if exists(getLocaleParameterIndex()) then nLocale = 1 else nLocale = 0) and`
`41`		`- (if exists(getLengthParameterIndex()) then nLength = 1 else nLength = 0) and`
`42`		`- result = 2 + nLocale + nLength`
`43`		`- )`
`44`		`- }`
	`39`	`+ private int getArgsStartPosition() { result = this.getNumberOfParameters() }`
`45`	`40`
`46`	`41`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`47`		`- input.isParameterDeref(0) and`
	`42`	`+ input.isParameterDeref(this.(ScanfFunction).getInputParameterIndex()) and`
`48`	`43`	`output.isParameterDeref(any(int i \| i >= getArgsStartPosition()))`
`49`	`44`	`}`
`50`	`45`