CPP: Don't require alloc in memberMayBeVarSize.

geoffw0 · Robert Marsh · commit 79ff559f7aff · 2018-11-07T15:11:53.000-08:00
diff --git a/cpp/ql/src/semmle/code/cpp/commons/Buffer.qll b/cpp/ql/src/semmle/code/cpp/commons/Buffer.qll
@@ -33,13 +33,12 @@ predicate memberMayBeVarSize(Class c, MemberVariable v) {
       // `sizeof(c)` is taken
       so.(SizeofTypeOperator).getTypeOperand().getUnspecifiedType() = c or
       so.(SizeofExprOperator).getExprOperand().getType().getUnspecifiedType() = c |
-      // Check all ancestor nodes except the immediate parent for
-      // allocations.
-      isStdLibAllocationExpr(so.getParent().(Expr).getParent+())
+
+      // arithmetic is performed on the result
+      so.getParent*() instanceof BinaryArithmeticOperation
     ) or exists(AddressOfExpr aoe |
       // `&(c.v)` is taken
-      aoe.getAddressable() = v and
-      isStdLibAllocationExpr(aoe.getParent().(Expr).getParent+())
+      aoe.getAddressable() = v
     )
   )
 }

Original file line number	Diff line number	Diff line change
`@@ -33,13 +33,12 @@ predicate memberMayBeVarSize(Class c, MemberVariable v) {`
`33`	`33`	// `sizeof(c)` is taken
`34`	`34`	`so.(SizeofTypeOperator).getTypeOperand().getUnspecifiedType() = c or`
`35`	`35`	`so.(SizeofExprOperator).getExprOperand().getType().getUnspecifiedType() = c \|`
`36`		`- // Check all ancestor nodes except the immediate parent for`
`37`		`- // allocations.`
`38`		`- isStdLibAllocationExpr(so.getParent().(Expr).getParent+())`
	`36`	`+`
	`37`	`+ // arithmetic is performed on the result`
	`38`	`+ so.getParent*() instanceof BinaryArithmeticOperation`
`39`	`39`	`) or exists(AddressOfExpr aoe \|`
`40`	`40`	// `&(c.v)` is taken
`41`		`- aoe.getAddressable() = v and`
`42`		`- isStdLibAllocationExpr(aoe.getParent().(Expr).getParent+())`
	`41`	`+ aoe.getAddressable() = v`
`43`	`42`	`)`
`44`	`43`	`)`
`45`	`44`	`}`