C++: Remove the '+ 1' in 'getAFlowStateForNode'.

MathiasVP · MathiasVP · commit a2b8eb924e15 · 2023-08-10T13:17:47.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll
@@ -123,7 +123,7 @@ private module SizeBarrier {
   private int getAFlowStateForNode(DataFlow::Node node) {
     exists(DataFlow::Node source |
       flow(source, node) and
-      hasSize(_, source, result + 1)
+      hasSize(_, source, result)
     )
   }
 
@@ -155,7 +155,7 @@ private module SizeBarrier {
         pragma[only_bind_into](k), pragma[only_bind_into](edge)) and
       bounded(result, value.getAnInstruction(), delta) and
       g.controls(result.getBlock(), edge) and
-      k <= getAFlowStateForNode(right)
+      k < getAFlowStateForNode(right)
     )
   }
 

Original file line number	Diff line number	Diff line change
`@@ -123,7 +123,7 @@ private module SizeBarrier {`
`123`	`123`	`private int getAFlowStateForNode(DataFlow::Node node) {`
`124`	`124`	`exists(DataFlow::Node source \|`
`125`	`125`	`flow(source, node) and`
`126`		`- hasSize(_, source, result + 1)`
	`126`	`+ hasSize(_, source, result)`
`127`	`127`	`)`
`128`	`128`	`}`
`129`	`129`
`@@ -155,7 +155,7 @@ private module SizeBarrier {`
`155`	`155`	`pragma[only_bind_into](k), pragma[only_bind_into](edge)) and`
`156`	`156`	`bounded(result, value.getAnInstruction(), delta) and`
`157`	`157`	`g.controls(result.getBlock(), edge) and`
`158`		`- k <= getAFlowStateForNode(right)`
	`158`	`+ k < getAFlowStateForNode(right)`
`159`	`159`	`)`
`160`	`160`	`}`
`161`	`161`