C++: More pruning.

MathiasVP · MathiasVP · commit ded06a77d0a6 · 2023-08-25T10:22:55.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll
@@ -101,7 +101,8 @@ private module SizeBarrier {
     predicate isSource(DataFlow::Node source) {
       // The sources is the same as in the sources for the second
       // projection in the `AllocToInvalidPointerConfig` module.
-      hasSize(_, source, _)
+      hasSize(_, source, _) and
+      InterestingPointerAddInstruction::isInterestingSize(source)
     }
 
     /**
@@ -220,6 +221,13 @@ private module InterestingPointerAddInstruction {
       flowTo(n)
     )
   }
+
+  predicate isInterestingSize(DataFlow::Node n) {
+    exists(DataFlow::Node alloc |
+      hasSize(alloc.asConvertedExpr(), n, _) and
+      flow(alloc, _)
+    )
+  }
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,8 @@ private module SizeBarrier {`
`101`	`101`	`predicate isSource(DataFlow::Node source) {`
`102`	`102`	`// The sources is the same as in the sources for the second`
`103`	`103`	// projection in the `AllocToInvalidPointerConfig` module.
`104`		`- hasSize(_, source, _)`
	`104`	`+ hasSize(_, source, _) and`
	`105`	`+ InterestingPointerAddInstruction::isInterestingSize(source)`
`105`	`106`	`}`
`106`	`107`
`107`	`108`	`/**`
`@@ -220,6 +221,13 @@ private module InterestingPointerAddInstruction {`
`220`	`221`	`flowTo(n)`
`221`	`222`	`)`
`222`	`223`	`}`
	`224`	`+`
	`225`	`+ predicate isInterestingSize(DataFlow::Node n) {`
	`226`	`+ exists(DataFlow::Node alloc \|`
	`227`	`+ hasSize(alloc.asConvertedExpr(), n, _) and`
	`228`	`+ flow(alloc, _)`
	`229`	`+ )`
	`230`	`+ }`
`223`	`231`	`}`
`224`	`232`
`225`	`233`	`/**`