[DIFF-INFORMED] C++: CWE-190/ArithmeticTainted,etc.

d10c · d10c · commit b4724e4eebf5 · 2025-07-17T11:39:21.000+02:00
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
@@ -106,6 +106,12 @@ module Config implements DataFlow::ConfigSig {
       not iTo instanceof PointerArithmeticInstruction
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(Expr e | result = e.getLocation() | isSink(sink, _, e))
+  }
 }
 
 module Flow = TaintTracking::Global<Config>;
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -120,6 +120,12 @@ module UncontrolledArithConfig implements DataFlow::ConfigSig {
     // block unintended flow to pointers
     node.asExpr().getUnspecifiedType() instanceof PointerType
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    result = getExpr(source).getLocation()
+  }
 }
 
 module UncontrolledArith = TaintTracking::Global<UncontrolledArithConfig>;
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
@@ -113,6 +113,12 @@ module Config implements DataFlow::ConfigSig {
       not iTo instanceof PointerArithmeticInstruction
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(VariableAccess va | result = va.getLocation() | isSink(sink, va, _))
+  }
 }
 
 module Flow = TaintTracking::Global<Config>;
diff --git a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
@@ -91,6 +91,12 @@ module TaintedAllocationSizeConfig implements DataFlow::ConfigSig {
     // to duplicate results)
     any(HeuristicAllocationFunction f).getAParameter() = node.asParameter()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(Expr alloc | result = alloc.getLocation() | allocSink(alloc, sink))
+  }
 }
 
 module TaintedAllocationSize = TaintTracking::Global<TaintedAllocationSizeConfig>;

Original file line number	Diff line number	Diff line change
`@@ -106,6 +106,12 @@ module Config implements DataFlow::ConfigSig {`
`106`	`106`	`not iTo instanceof PointerArithmeticInstruction`
`107`	`107`	`)`
`108`	`108`	`}`
	`109`	`+`
	`110`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`111`	`+`
	`112`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`113`	`+ exists(Expr e \| result = e.getLocation() \| isSink(sink, _, e))`
	`114`	`+ }`
`109`	`115`	`}`
`110`	`116`
`111`	`117`	`module Flow = TaintTracking::Global<Config>;`
Original file line number	Diff line number	Diff line change
`@@ -120,6 +120,12 @@ module UncontrolledArithConfig implements DataFlow::ConfigSig {`
`120`	`120`	`// block unintended flow to pointers`
`121`	`121`	`node.asExpr().getUnspecifiedType() instanceof PointerType`
`122`	`122`	`}`
	`123`	`+`
	`124`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`125`	`+`
	`126`	`+ Location getASelectedSourceLocation(DataFlow::Node source) {`
	`127`	`+ result = getExpr(source).getLocation()`
	`128`	`+ }`
`123`	`129`	`}`
`124`	`130`
`125`	`131`	`module UncontrolledArith = TaintTracking::Global<UncontrolledArithConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -113,6 +113,12 @@ module Config implements DataFlow::ConfigSig {`
`113`	`113`	`not iTo instanceof PointerArithmeticInstruction`
`114`	`114`	`)`
`115`	`115`	`}`
	`116`	`+`
	`117`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`118`	`+`
	`119`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`120`	`+ exists(VariableAccess va \| result = va.getLocation() \| isSink(sink, va, _))`
	`121`	`+ }`
`116`	`122`	`}`
`117`	`123`
`118`	`124`	`module Flow = TaintTracking::Global<Config>;`
Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,12 @@ module TaintedAllocationSizeConfig implements DataFlow::ConfigSig {`
`91`	`91`	`// to duplicate results)`
`92`	`92`	`any(HeuristicAllocationFunction f).getAParameter() = node.asParameter()`
`93`	`93`	`}`
	`94`	`+`
	`95`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`96`	`+`
	`97`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`98`	`+ exists(Expr alloc \| result = alloc.getLocation() \| allocSink(alloc, sink))`
	`99`	`+ }`
`94`	`100`	`}`
`95`	`101`
`96`	`102`	`module TaintedAllocationSize = TaintTracking::Global<TaintedAllocationSizeConfig>;`