github
diff --git a/‎cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll‎
Lines changed: 11 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll‎
Lines changed: 11 additions & 0 deletions
@@ -214,6 +214,17 @@ private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {
       exprIn = call.getQualifier()
     )
   )
+  or
+  exists(
+    TaintFunction f, Call call, FunctionInput inModel, FunctionOutput outModel
+  |
+    call.getTarget() = f and
+    inModel.isQualifierObject() and
+    outModel.isReturnValueDeref() and
+    f.hasTaintFlow(inModel, outModel) and
+    exprIn = call and
+    argOut = call.getQualifier()
+  )
 }
 
 private predicate exprToPartialDefinitionStep(Expr exprIn, Expr exprOut) {
Original file line number	Diff line number	Diff line change
`@@ -214,6 +214,17 @@ private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {`
`214`	`214`	`exprIn = call.getQualifier()`
`215`	`215`	`)`
`216`	`216`	`)`
	`217`	`+ or`
	`218`	`+ exists(`
	`219`	`+ TaintFunction f, Call call, FunctionInput inModel, FunctionOutput outModel`
	`220`	`+ \|`
	`221`	`+ call.getTarget() = f and`
	`222`	`+ inModel.isQualifierObject() and`
	`223`	`+ outModel.isReturnValueDeref() and`
	`224`	`+ f.hasTaintFlow(inModel, outModel) and`
	`225`	`+ exprIn = call and`
	`226`	`+ argOut = call.getQualifier()`
	`227`	`+ )`
`217`	`228`	`}`
`218`	`229`
`219`	`230`	`private predicate exprToPartialDefinitionStep(Expr exprIn, Expr exprOut) {`