update test files, add one more additional flow step for inflate function, fix gzopen additional flow step thanks to @jketema

Author: am0o0

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs.ql

@@ -22,12 +22,13 @@ module DecompressionTaintConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) {
     exists(FunctionCall fc, DecompressionFunction f | fc.getTarget() = f |
-      fc.getArgument(f.getArchiveParameterIndex()) = sink.asExpr()
+      fc.getArgument(f.getArchiveParameterIndex()) = sink.asExpr() 
     )
   }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    any(DecompressionFlowStep f).isAdditionalFlowStep(node1, node2)
+    any(DecompressionFlowStep f).isAdditionalFlowStep(node1, node2) or
+    nextInAdditionalFlowStep(node1, node2)
   }
 }
 

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/ZlibGzopen.qll

@@ -37,7 +37,7 @@ class GzGetsFunction extends DecompressionFunction {
 class GzReadFunction extends DecompressionFunction {
   GzReadFunction() { this.hasGlobalName("gzread") }
 
-  override int getArchiveParameterIndex() { result = 1 }
+  override int getArchiveParameterIndex() { result = 0 }
 }
 
 /**
@@ -66,7 +66,7 @@ class GzopenFunction extends DecompressionFlowStep {
 
   override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(FunctionCall fc | fc.getTarget() = this |
-      node1.asExpr() = fc.getArgument(0) and
+      node1.asIndirectExpr() = fc.getArgument(0) and
       node2.asExpr() = fc
     )
   }

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/ZlibInflator.qll

@@ -10,12 +10,27 @@ import DecompressionBomb
 /**
  * The `inflate` and `inflateSync` functions are used in flow sink.
  *
- * `inflate(z_streamp strm, int flush)`
+ * `inflate(z_stream strm, int flush)`
  *
- * `inflateSync(z_streamp strm)`
+ * `inflateSync(z_stream strm)`
  */
 class InflateFunction extends DecompressionFunction {
   InflateFunction() { this.hasGlobalName(["inflate", "inflateSync"]) }
 
   override int getArchiveParameterIndex() { result = 0 }
 }
+
+/**
+ * The `next_in` member of a `z_stream` variable is used in flow steps.
+ */
+predicate nextInAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+  exists(Variable nextInVar, VariableAccess zStreamAccess |
+    nextInVar.getDeclaringType().hasName("z_stream") and
+    nextInVar.hasName("next_in") and
+    zStreamAccess.getType().hasName("z_stream")
+  |
+    nextInVar.getAnAccess().getQualifier().(VariableAccess).getTarget() = zStreamAccess.getTarget() and
+    node1.asIndirectExpr() = nextInVar.getAnAssignedValue() and
+    node2.asExpr() = zStreamAccess
+  )
+}

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/zlibTest.cpp

@@ -51,40 +51,17 @@ namespace std {
 }
 
 int UnsafeInflate(char *a) {
-    // placeholder for the compressed (deflated) version of "a"
-    char b[50];
-    // placeholder for the Uncompressed (inflated) version of "b"
-    char c[50];
-
-    // STEP 1.
-    // zlib struct
-    z_stream defstream;
-    defstream.zalloc = Z_NULL;
-    defstream.zfree = Z_NULL;
-    defstream.opaque = Z_NULL;
-    // setup "a" as the input and "b" as the compressed output
-    defstream.avail_in = (uInt) 50 + 1; // size of input, string + terminator
-    defstream.next_in = (Bytef *) a; // input char array
-    defstream.avail_out = (uInt) sizeof(b); // size of output
-    defstream.next_out = (Bytef *) b; // output char array
-
-    // the actual compression work.
-    deflateInit(&defstream, Z_BEST_COMPRESSION);
-    deflate(&defstream, Z_FINISH);
-    deflateEnd(&defstream);
-
-    // This is one way of getting the size of the output
-    // STEP 2.
-    // inflate b into c
-    // zlib struct
+    // placeholder for the Uncompressed (inflated) version of "a"
+    char c[1024000];
+
     z_stream infstream;
     infstream.zalloc = Z_NULL;
     infstream.zfree = Z_NULL;
     infstream.opaque = Z_NULL;
     // setup "b" as the input and "c" as the compressed output
     // TOTHINK: Here we can add additional step from Right operand to z_stream variable access
-    infstream.avail_in = (uInt) ((char *) defstream.next_out - b); // size of input
-    infstream.next_in = (Bytef *) b; // input char array
+    infstream.avail_in = (uInt) (1000); // size of input
+    infstream.next_in = (Bytef *) a; // input char array
     infstream.avail_out = (uInt) sizeof(c); // size of output
     infstream.next_out = (Bytef *) c; // output char array
 
@@ -159,7 +136,6 @@ int UnsafeGzgets(char *fileName) {
     }
     char *buffer = new char[4000000000];
     char *result;
-    result = gzgets(inFileZ, buffer, 1000000000);
     while (true) {
         result = gzgets(inFileZ, buffer, 1000000000);
         if (result == nullptr) {