CPP: Queries: Similar dataflow simplification in OverflowCalculated.ql to that made recently in NoSpaceForZeroTerminator.ql.

geoffw0 · geoffw0 · commit 1e7bd9e987ff · 2019-11-22T15:19:00.000Z
diff --git a/cpp/ql/src/Critical/OverflowCalculated.ql b/cpp/ql/src/Critical/OverflowCalculated.ql
@@ -11,26 +11,21 @@
  */
 
 import cpp
+import semmle.code.cpp.dataflow.DataFlow
 
 class MallocCall extends FunctionCall {
   MallocCall() { this.getTarget().hasGlobalOrStdName("malloc") }
 
   Expr getAllocatedSize() {
-    if this.getArgument(0) instanceof VariableAccess
-    then
-      exists(LocalScopeVariable v, ControlFlowNode def |
-        definitionUsePair(v, def, this.getArgument(0)) and
-        exprDefinition(v, def, result)
-      )
-    else result = this.getArgument(0)
+    result = this.getArgument(0)
   }
 }
 
 predicate spaceProblem(FunctionCall append, string msg) {
   exists(MallocCall malloc, StrlenCall strlen, AddExpr add, FunctionCall insert, Variable buffer |
     add.getAChild() = strlen and
     exists(add.getAChild().getValue()) and
-    malloc.getAllocatedSize() = add and
+    DataFlow::localExprFlow(add, malloc.getAllocatedSize()) and
     buffer.getAnAccess() = strlen.getStringExpr() and
     (
       insert.getTarget().hasGlobalOrStdName("strcpy") or
