C++: Add more dataflow cases to replace the loss.

geoffw0 · geoffw0 · commit 487910456887 · 2021-04-13T15:09:12.000+01:00
diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -34,7 +34,7 @@ predicate isGuarded(SubExpr sub, Expr left, Expr right) {
  * Holds if `e` is known or suspected to be less than or equal to
  * `sub.getLeftOperand()`.
  */
-predicate exprIsSubLeftOrLess(SubExpr sub, Expr e) {
+predicate exprIsSubLeftOrLess(SubExpr sub, Element e) {
   e = sub.getLeftOperand()
   or
   exists(Expr other |
@@ -46,6 +46,24 @@ predicate exprIsSubLeftOrLess(SubExpr sub, Expr e) {
     )
   )
   or
+  exists(Element other |
+    // dataflow (via parameter)
+    exprIsSubLeftOrLess(sub, other) and
+    (
+      DataFlow::localFlowStep(DataFlow::parameterNode(e), DataFlow::exprNode(other)) or
+      DataFlow::localFlowStep(DataFlow::parameterNode(other), DataFlow::exprNode(e))
+    )
+  )
+  or
+  exists(Element other |
+    // dataflow (via uninitialized)
+    exprIsSubLeftOrLess(sub, other) and
+    (
+      DataFlow::localFlowStep(DataFlow::uninitializedNode(e), DataFlow::exprNode(other)) or
+      DataFlow::localFlowStep(DataFlow::uninitializedNode(other), DataFlow::exprNode(e))
+    )
+  )
+  or
   exists(Expr other |
     // guard constraining `sub`
     exprIsSubLeftOrLess(sub, other) and
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
@@ -1,7 +1,5 @@
 | test.cpp:6:5:6:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:10:8:10:24 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:22:12:22:20 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:32:12:32:20 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:62:5:62:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:75:8:75:16 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:101:6:101:14 | ... > ... | Unsigned subtraction can never be negative. |
@@ -11,8 +9,6 @@
 | test.cpp:152:7:152:15 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:182:6:182:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:208:6:208:14 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:219:7:219:15 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:226:8:226:16 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:252:10:252:18 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:266:10:266:24 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:276:11:276:19 | ... > ... | Unsigned subtraction can never be negative. |
