Add files via upload

ihsinme · web-flow · commit b7de370918e4 · 2021-04-26T23:04:08.000+03:00
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql b/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql
@@ -12,40 +12,33 @@
 
 import cpp
 
-/**
- * The function allows `getASuccessor` to be called recursively.
- * This provides a stop in situations of possible influence on the pointer.
- */
-ControlFlowNode recursASuccessor(FunctionCall fc, LocalScopeVariable v) {
-  result = fc
-  or
-  exists(ControlFlowNode mid |
-    mid = recursASuccessor(fc, v) and
-    result = mid.getASuccessor() and
-    not result = v.getAnAssignedValue() and
-    not result.(AddressOfExpr).getOperand() = v.getAnAccess() and
-    not (
-      not result instanceof DeallocationExpr and
-      result.(FunctionCall).getAnArgument().(VariableAccess).getTarget() = v
-    ) and
+from FunctionCall fc, FunctionCall fc2, LocalScopeVariable v
+where
+  freeCall(fc, v.getAnAccess()) and
+  freeCall(fc2, v.getAnAccess()) and
+  fc != fc2 and
+  fc.getASuccessor*() = fc2 and
+  not exists(Expr exptmp |
+    (exptmp = v.getAnAssignedValue() or exptmp.(AddressOfExpr).getOperand() = v.getAnAccess()) and
+    exptmp = fc.getASuccessor*() and
+    exptmp = fc2.getAPredecessor*()
+  ) and
+  not exists(FunctionCall fctmp |
+    not fctmp instanceof DeallocationExpr and
+    fctmp = fc.getASuccessor*() and
+    fctmp = fc2.getAPredecessor*() and
+    fctmp.getAnArgument().(VariableAccess).getTarget() = v
+  ) and
+  (
+    fc.getTarget().hasGlobalOrStdName("realloc") and
     (
-      fc.getTarget().hasGlobalOrStdName("realloc") and
-      (
-        not fc.getParent*() instanceof IfStmt and
-        not result instanceof IfStmt
+      not fc.getParent*() instanceof IfStmt and
+      not exists(IfStmt iftmp |
+        iftmp.getCondition().getAChild*().(VariableAccess).getTarget().getAnAssignedValue() = fc
       )
-      or
-      not fc.getTarget().hasGlobalOrStdName("realloc")
     )
+    or
+    not fc.getTarget().hasGlobalOrStdName("realloc")
   )
-}
-
-from FunctionCall fc
-where
-  exists(FunctionCall fc2, LocalScopeVariable v |
-    freeCall(fc, v.getAnAccess()) and
-    freeCall(fc2, v.getAnAccess()) and
-    fc != fc2 and
-    recursASuccessor(fc, v) = fc2
-  )
-select fc.getArgument(0), "This pointer may be cleared again later."
+select fc2.getArgument(0),
+  "This pointer may have already been cleared in the line " + fc.getLocation().getStartLine() + "."
