C++: Fixup queries to keep the old results.

Author: MathiasVP

cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql

@@ -68,9 +68,9 @@ predicate cannotContainString(Type t, boolean isIndirect) {
 
 predicate isNonConst(DataFlow::Node node, boolean isIndirect) {
   exists(Expr e |
-    e = node.asExpr() and isIndirect = false
+    e = [node.asExpr(), node.asDefinition()] and isIndirect = false
     or
-    e = node.asIndirectExpr() and isIndirect = true
+    e = [node.asIndirectExpr(), node.asIndirectDefinition()] and isIndirect = true
   |
     exists(FunctionCall fc | fc = e |
       not (

cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql

@@ -35,10 +35,15 @@ predicate isSource(FS::FlowSource source, string sourceType) { sourceType = sour
 
 predicate isSink(DataFlow::Node sink, string kind) {
   exists(Expr use |
-    use = sink.asExpr() and
     not use.getUnspecifiedType() instanceof PointerType and
     outOfBoundsExpr(use, kind) and
     not inSystemMacroExpansion(use)
+  |
+    if
+      sink.asDefinition() instanceof CrementOperation or
+      sink.asDefinition() instanceof AssignOperation
+    then use = sink.asDefinition()
+    else use = sink.asExpr()
   )
 }
 

cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql

@@ -60,7 +60,7 @@ module TaintedAllocationSizeConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { allocSink(_, sink) }
 
   predicate isBarrier(DataFlow::Node node) {
-    exists(Expr e | e = node.asExpr() |
+    exists(Expr e | e = [node.asExpr(), node.asDefinition()] |
       // There can be two separate reasons for `convertedExprMightOverflow` not holding:
       // 1. `e` really cannot overflow.
       // 2. `e` isn't analyzable.