C++: Also add an out barrier on all sinks.

Author: MathiasVP

cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql

@@ -97,6 +97,8 @@ module PointerArithmeticToDerefConfig implements DataFlow::ConfigSig {
 
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 
+  predicate isBarrierOut(DataFlow::Node node) { isSink(node) }
+
   predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink1(sink, _, _) }
 }
 
@@ -134,6 +136,8 @@ module FieldAddressToDerefConfig implements DataFlow::StateConfigSig {
 
   predicate isBarrierIn(DataFlow::Node node) { isSource(node, _) }
 
+  predicate isBarrierOut(DataFlow::Node node) { isSink(node, _) }
+
   predicate isAdditionalFlowStep(
     DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
   ) {

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected

@@ -6,12 +6,8 @@ edges
 | test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array |
 | test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array |
 | test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array |
-| test.cpp:66:32:66:32 | p | test.cpp:66:32:66:32 | p |
-| test.cpp:66:32:66:32 | p | test.cpp:67:5:67:6 | * ... |
-| test.cpp:66:32:66:32 | p | test.cpp:67:6:67:6 | p |
 | test.cpp:70:33:70:33 | p | test.cpp:72:5:72:15 | access to array |
 | test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p |
-| test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p |
 | test.cpp:77:32:77:34 | buf | test.cpp:77:26:77:44 | & ... |
 | test.cpp:79:27:79:34 | buf | test.cpp:70:33:70:33 | p |
 | test.cpp:79:32:79:34 | buf | test.cpp:79:27:79:34 | buf |
@@ -31,10 +27,6 @@ nodes
 | test.cpp:61:9:61:19 | access to array | semmle.label | access to array |
 | test.cpp:61:14:61:16 | buf | semmle.label | buf |
 | test.cpp:66:32:66:32 | p | semmle.label | p |
-| test.cpp:66:32:66:32 | p | semmle.label | p |
-| test.cpp:66:32:66:32 | p | semmle.label | p |
-| test.cpp:67:5:67:6 | * ... | semmle.label | * ... |
-| test.cpp:67:6:67:6 | p | semmle.label | p |
 | test.cpp:70:33:70:33 | p | semmle.label | p |
 | test.cpp:72:5:72:15 | access to array | semmle.label | access to array |
 | test.cpp:77:26:77:44 | & ... | semmle.label | & ... |
@@ -52,6 +44,3 @@ subpaths
 | test.cpp:61:9:61:19 | PointerAdd: access to array | test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write |
 | test.cpp:72:5:72:15 | PointerAdd: access to array | test.cpp:79:32:79:34 | buf | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write |
 | test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
-| test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
-| test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:67:5:67:6 | * ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
-| test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:67:6:67:6 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |