Skip to content

Commit 974994e

Browse files
geoffw0geoffw0
committed
CPP: Slight rearrange.
1 parent 1a6f7fe commit 974994e

File tree

1 file changed

+30
-22
lines changed

1 file changed

+30
-22
lines changed

cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll

Lines changed: 30 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -133,19 +133,24 @@ private predicate exprToExprStep(Expr exprIn, Expr exprOut) {
133133
)
134134
)
135135
or
136-
exists(TaintFunction f, Call call, FunctionOutput outModel |
136+
exists(TaintFunction f, Call call, FunctionInput inModel, FunctionOutput outModel |
137137
call.getTarget() = f and
138-
exprOut = call and
139-
outModel.isReturnValueDeref() and
140-
exists(int argInIndex, FunctionInput inModel | f.hasTaintFlow(inModel, outModel) |
141-
inModel.isParameterDeref(argInIndex) and
142-
exprIn = call.getArgument(argInIndex)
143-
or
144-
inModel.isParameterDeref(argInIndex) and
145-
call.passesByReference(argInIndex, exprIn)
146-
or
147-
inModel.isParameter(argInIndex) and
148-
exprIn = call.getArgument(argInIndex)
138+
(
139+
exprOut = call and
140+
outModel.isReturnValueDeref()
141+
) and
142+
f.hasTaintFlow(inModel, outModel) and
143+
(
144+
exists(int argInIndex |
145+
inModel.isParameterDeref(argInIndex) and
146+
exprIn = call.getArgument(argInIndex)
147+
or
148+
inModel.isParameterDeref(argInIndex) and
149+
call.passesByReference(argInIndex, exprIn)
150+
or
151+
inModel.isParameter(argInIndex) and
152+
exprIn = call.getArgument(argInIndex)
153+
)
149154
)
150155
)
151156
}
@@ -163,19 +168,22 @@ private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {
163168
)
164169
)
165170
or
166-
exists(TaintFunction f, Call call, FunctionOutput outModel, int argOutIndex |
171+
exists(TaintFunction f, Call call, FunctionInput inModel, FunctionOutput outModel, int argOutIndex |
167172
call.getTarget() = f and
168173
argOut = call.getArgument(argOutIndex) and
169174
outModel.isParameterDeref(argOutIndex) and
170-
exists(int argInIndex, FunctionInput inModel | f.hasTaintFlow(inModel, outModel) |
171-
inModel.isParameterDeref(argInIndex) and
172-
exprIn = call.getArgument(argInIndex)
173-
or
174-
inModel.isParameterDeref(argInIndex) and
175-
call.passesByReference(argInIndex, exprIn)
176-
or
177-
inModel.isParameter(argInIndex) and
178-
exprIn = call.getArgument(argInIndex)
175+
f.hasTaintFlow(inModel, outModel) and
176+
(
177+
exists(int argInIndex |
178+
inModel.isParameterDeref(argInIndex) and
179+
exprIn = call.getArgument(argInIndex)
180+
or
181+
inModel.isParameterDeref(argInIndex) and
182+
call.passesByReference(argInIndex, exprIn)
183+
or
184+
inModel.isParameter(argInIndex) and
185+
exprIn = call.getArgument(argInIndex)
186+
)
179187
)
180188
)
181189
}

0 commit comments

Comments
 (0)