Skip to content

Commit 2abe416

Browse files
authored
Merge pull request #2799 from MathiasVP/missing-flow-in-crement
C++: Fix false negatives for postfix crement expressions
2 parents 12113e9 + c8be67c commit 2abe416

File tree

1 file changed

+6
-0
lines changed

1 file changed

+6
-0
lines changed

cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -335,6 +335,12 @@ private Element adjustedSink(DataFlow::Node sink) {
335335
// For compatibility, send flow into a `NotExpr` even if it's part of a
336336
// short-circuiting condition and thus might get skipped.
337337
result.(NotExpr).getOperand() = sink.asExpr()
338+
or
339+
// Taint postfix and prefix crement operations when their operand is tainted.
340+
result.(CrementOperation).getAnOperand() = sink.asExpr()
341+
or
342+
// Taint `e1 += e2`, `e &= e2` and friends when `e1` or `e2` is tainted.
343+
result.(AssignOperation).getAnOperand() = sink.asExpr()
338344
}
339345

340346
predicate tainted(Expr source, Element tainted) {

0 commit comments

Comments
 (0)