C++: Move location where getASuccessor is used to avoid join order problems

jketema · jketema · commit 11182e4ee4d0 · 2023-06-05T12:36:25.000+02:00
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql b/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
@@ -208,8 +208,7 @@ predicate isInvalidPointerDerefSink(DataFlow::Node sink, Instruction i, string o
     s = sink.asInstruction() and
     bounded1(addr.getDef(), s, delta) and
     delta >= 0 and
-    i.getAnOperand() = addr and
-    i = getASuccessor(s)
+    i.getAnOperand() = addr
   |
     i instanceof StoreInstruction and
     operation = "write"
@@ -267,7 +266,8 @@ newtype TMergedPathNode =
   TPathNodeSink(Instruction i) {
     exists(DataFlow::Node n |
       InvalidPointerToDerefFlow::flowTo(n) and
-      isInvalidPointerDerefSink(n, i, _, _)
+      isInvalidPointerDerefSink(n, i, _, _) and
+      i = getASuccessor(n.asInstruction())
     )
   }
 

Original file line number	Diff line number	Diff line change
`@@ -208,8 +208,7 @@ predicate isInvalidPointerDerefSink(DataFlow::Node sink, Instruction i, string o`
`208`	`208`	`s = sink.asInstruction() and`
`209`	`209`	`bounded1(addr.getDef(), s, delta) and`
`210`	`210`	`delta >= 0 and`
`211`		`- i.getAnOperand() = addr and`
`212`		`- i = getASuccessor(s)`
	`211`	`+ i.getAnOperand() = addr`
`213`	`212`	`\|`
`214`	`213`	`i instanceof StoreInstruction and`
`215`	`214`	`operation = "write"`
`@@ -267,7 +266,8 @@ newtype TMergedPathNode =`
`267`	`266`	`TPathNodeSink(Instruction i) {`
`268`	`267`	`exists(DataFlow::Node n \|`
`269`	`268`	`InvalidPointerToDerefFlow::flowTo(n) and`
`270`		`- isInvalidPointerDerefSink(n, i, _, _)`
	`269`	`+ isInvalidPointerDerefSink(n, i, _, _) and`
	`270`	`+ i = getASuccessor(n.asInstruction())`
`271`	`271`	`)`
`272`	`272`	`}`
`273`	`273`