CPP: Don't require alloc in memberMayBeVarSize.

geoffw0 · geoffw0 · commit 2dcec4dce3c8 · 2018-10-25T15:01:00.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/commons/Buffer.qll b/cpp/ql/src/semmle/code/cpp/commons/Buffer.qll
@@ -34,13 +34,12 @@ predicate memberMayBeVarSize(Class c, MemberVariable v) {
       // `sizeof(c)` is taken
       so.(SizeofTypeOperator).getTypeOperand().getUnspecifiedType() = c or
       so.(SizeofExprOperator).getExprOperand().getType().getUnspecifiedType() = c |
-      // Check all ancestor nodes except the immediate parent for
-      // allocations.
-      isStdLibAllocationExpr(so.getParent().(Expr).getParent+())
+
+      // arithmetic is performed on the result
+      so.getParent*() instanceof BinaryArithmeticOperation
     ) or exists(AddressOfExpr aoe |
       // `&(c.v)` is taken
-      aoe.getAddressable() = v and
-      isStdLibAllocationExpr(aoe.getParent().(Expr).getParent+())
+      aoe.getAddressable() = v
     )
   )
 }

Original file line number	Diff line number	Diff line change
`@@ -34,13 +34,12 @@ predicate memberMayBeVarSize(Class c, MemberVariable v) {`
`34`	`34`	// `sizeof(c)` is taken
`35`	`35`	`so.(SizeofTypeOperator).getTypeOperand().getUnspecifiedType() = c or`
`36`	`36`	`so.(SizeofExprOperator).getExprOperand().getType().getUnspecifiedType() = c \|`
`37`		`- // Check all ancestor nodes except the immediate parent for`
`38`		`- // allocations.`
`39`		`- isStdLibAllocationExpr(so.getParent().(Expr).getParent+())`
	`37`	`+`
	`38`	`+ // arithmetic is performed on the result`
	`39`	`+ so.getParent*() instanceof BinaryArithmeticOperation`
`40`	`40`	`) or exists(AddressOfExpr aoe \|`
`41`	`41`	// `&(c.v)` is taken
`42`		`- aoe.getAddressable() = v and`
`43`		`- isStdLibAllocationExpr(aoe.getParent().(Expr).getParent+())`
	`42`	`+ aoe.getAddressable() = v`
`44`	`43`	`)`
`45`	`44`	`)`
`46`	`45`	`}`