C++: Clean up SprintfBW and comment Sprintf.

geoffw0 · geoffw0 · commit c3d275d0e768 · 2020-06-24T18:34:02.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Printf.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Printf.qll
@@ -66,12 +66,19 @@ class Sprintf extends FormattingFunction {
   Sprintf() {
     this instanceof TopLevelFunction and
     (
+      // sprintf(dst, format, args...)
       hasGlobalOrStdName("sprintf") or
+      //  _sprintf_l(dst, format, locale, args...)
       hasGlobalName("_sprintf_l") or
+      // __swprintf_l(dst, format, locale, args...)
       hasGlobalName("__swprintf_l") or
+      // wsprintf(dst, format, args...)
       hasGlobalOrStdName("wsprintf") or
+      // g_strdup_printf(format, ...)
       hasGlobalName("g_strdup_printf") or
+      // g_sprintf(dst, format, ...)
       hasGlobalName("g_sprintf") or
+      // __builtin___sprintf_chk(dst, flag, os, format, ...)
       hasGlobalName("__builtin___sprintf_chk")
     ) and
     not exists(getDefinition().getFile().getRelativePath())
diff --git a/cpp/ql/src/semmle/code/cpp/security/BufferWrite.qll b/cpp/ql/src/semmle/code/cpp/security/BufferWrite.qll
@@ -181,8 +181,10 @@ class StrCatBW extends BufferWriteCall {
  * A call to a variant of `sprintf`.
  */
 class SprintfBW extends BufferWriteCall {
+  FormattingFunction f;
+
   SprintfBW() {
-    exists(TopLevelFunction fn, string name | fn = getTarget() and name = fn.getName() |
+    exists(string name | f = getTarget().(TopLevelFunction) and name = f.getName() |
       /*
        * C sprintf variants:
        */
@@ -218,10 +220,7 @@ class SprintfBW extends BufferWriteCall {
   }
 
   override Type getBufferType() {
-    exists(FormattingFunction f |
-      f = this.getTarget() and
-      result = f.getParameter(f.getFormatParameterIndex()).getUnspecifiedType()
-    )
+    result = f.getParameter(f.getFormatParameterIndex()).getUnspecifiedType()
   }
 
   override Expr getASource() {
@@ -230,7 +229,7 @@ class SprintfBW extends BufferWriteCall {
     result = this.(FormattingFunctionCall).getFormatArgument(_)
   }
 
-  override Expr getDest() { result = getArgument(0) }
+  override Expr getDest() { result = getArgument(f.getOutputParameterIndex()) }
 
   override int getMaxData() {
     exists(FormatLiteral fl |
