C++: should only match those functions that has the same number of parameters as the call has arguments.

Author: MathiasVP

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -22,7 +22,13 @@ Function viableCallable(CallInstruction call) {
   )
   or
   // Virtual dispatch
-  result = call.(VirtualDispatch::DataSensitiveCall).resolve()
+  result = call.(VirtualDispatch::DataSensitiveCall).resolve() and
+  (
+    call.getNumberOfArguments() <= result.getEffectiveNumberOfParameters() and
+    call.getNumberOfArguments() >= result.getEffectiveNumberOfParameters()
+    or
+    result.isVarargs()
+  )
 }
 
 /**

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -1202,6 +1202,11 @@ class CallInstruction extends Instruction {
   final Instruction getPositionalArgument(int index) {
     result = getPositionalArgumentOperand(index).getDef()
   }
+
+  /**
+   * Gets the number of arguments of the call, including the `this` pointer, if any.
+   */
+  final int getNumberOfArguments() { result = count(this.getAnArgumentOperand()) }
 }
 
 /**