Merge pull request github#12674 from jketema/overrunning-join

MathiasVP · web-flow · commit 889dcfe2b205 · 2023-03-27T15:36:33.000+01:00
C++: Fix join-order problem in cpp/overrun-write
diff --git a/cpp/ql/src/experimental/Likely Bugs/OverrunWriteProductFlow.ql b/cpp/ql/src/experimental/Likely Bugs/OverrunWriteProductFlow.ql
@@ -62,11 +62,16 @@ predicate hasSize(AllocationExpr alloc, DataFlow::Node n, string state) {
 predicate isSinkPairImpl(
   CallInstruction c, DataFlow::Node bufSink, DataFlow::Node sizeSink, int delta, Expr eBuf
 ) {
-  exists(int bufIndex, int sizeIndex, Instruction sizeInstr, Instruction bufInstr |
+  exists(
+    int bufIndex, int sizeIndex, Instruction sizeInstr, Instruction bufInstr, ArrayFunction func
+  |
     bufInstr = bufSink.asInstruction() and
     c.getArgument(bufIndex) = bufInstr and
     sizeInstr = sizeSink.asInstruction() and
-    c.getStaticCallTarget().(ArrayFunction).hasArrayWithVariableSize(bufIndex, sizeIndex) and
+    c.getStaticCallTarget() = func and
+    pragma[only_bind_into](func)
+        .hasArrayWithVariableSize(pragma[only_bind_into](bufIndex),
+          pragma[only_bind_into](sizeIndex)) and
     bounded(c.getArgument(sizeIndex), sizeInstr, delta) and
     eBuf = bufInstr.getUnconvertedResultExpression()
   )
