C++: restrict flowstates in constant off-by-one query

rdmarsh2 · rdmarsh2 · commit 584adf843a5a · 2023-05-12T12:43:10.000-04:00
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
@@ -89,8 +89,10 @@ predicate pointerArithOverflow(
 
 module FieldAddressToDerefConfig implements DataFlow::StateConfigSig {
   newtype FlowState =
-    additional TArray(Field f) or
-    additional TOverflowArithmetic(PointerArithmeticInstruction pai)
+    additional TArray(Field f) { pointerArithOverflow(_, f, _, _, _) } or
+    additional TOverflowArithmetic(PointerArithmeticInstruction pai) {
+      pointerArithOverflow(pai, _, _, _, _)
+    }
 
   predicate isSource(DataFlow::Node source, FlowState state) {
     exists(Field f |
