Skip to content

C++: Fix unintended conflation in a taint step #21622

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
MathiasVP wants to merge 2 commits into
base: main
Choose a base branch
from
+1 −37
Draft

C++: Fix unintended conflation in a taint step #21622

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a4898ab
C++: Restrict a default taint step to only add flow from the index to…
MathiasVP Mar 31, 2026
dae2dcd
C++: Accept test changes.
MathiasVP Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ private module Cached {
// indirection of the pointer arithmetic instruction. This provides flow from `source`
// in `x[source]` to the result of the associated load instruction.
exists(PointerArithmeticInstruction pai, int indirectionIndex |
nodeHasOperand(nodeFrom, pai.getAnOperand(), pragma[only_bind_into](indirectionIndex)) and
nodeHasOperand(nodeFrom, pai.getRightOperand(), pragma[only_bind_into](indirectionIndex)) and
hasInstructionAndIndex(nodeTo, pai, indirectionIndex + 1)
) and
model = ""
Expand Down
36 changes: 0 additions & 36 deletions cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,36 +4,20 @@ edges
| main.cpp:6:27:6:30 | **argv | main.cpp:9:29:9:32 | **argv | provenance | |
| main.cpp:6:27:6:30 | **argv | main.cpp:10:20:10:23 | **argv | provenance | |
| main.cpp:7:33:7:36 | **argv | main.cpp:7:33:7:36 | overflowdesination_main output argument | provenance | |
| main.cpp:7:33:7:36 | **argv | main.cpp:7:33:7:36 | overflowdesination_main output argument | provenance | |
| main.cpp:7:33:7:36 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | provenance | |
| main.cpp:7:33:7:36 | overflowdesination_main output argument | main.cpp:8:34:8:37 | **argv | provenance | |
| main.cpp:7:33:7:36 | overflowdesination_main output argument | main.cpp:8:34:8:37 | *argv | provenance | |
| main.cpp:7:33:7:36 | overflowdesination_main output argument | main.cpp:9:29:9:32 | **argv | provenance | |
| main.cpp:7:33:7:36 | overflowdesination_main output argument | main.cpp:9:29:9:32 | *argv | provenance | |
| main.cpp:7:33:7:36 | overflowdesination_main output argument | main.cpp:10:20:10:23 | **argv | provenance | |
| main.cpp:7:33:7:36 | overflowdesination_main output argument | main.cpp:10:20:10:23 | *argv | provenance | |
| main.cpp:8:34:8:37 | **argv | main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | provenance | |
| main.cpp:8:34:8:37 | **argv | main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | provenance | |
| main.cpp:8:34:8:37 | **argv | test_buffer_overrun.cpp:32:46:32:49 | **argv | provenance | |
| main.cpp:8:34:8:37 | *argv | main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | provenance | |
| main.cpp:8:34:8:37 | *argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | provenance | |
| main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | main.cpp:9:29:9:32 | **argv | provenance | |
| main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | main.cpp:9:29:9:32 | *argv | provenance | |
| main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | main.cpp:10:20:10:23 | **argv | provenance | |
| main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | main.cpp:10:20:10:23 | *argv | provenance | |
| main.cpp:9:29:9:32 | **argv | main.cpp:9:29:9:32 | tests_restrict_main output argument | provenance | |
| main.cpp:9:29:9:32 | **argv | tests_restrict.c:15:41:15:44 | **argv | provenance | |
| main.cpp:9:29:9:32 | *argv | main.cpp:9:29:9:32 | tests_restrict_main output argument | provenance | |
| main.cpp:9:29:9:32 | *argv | tests_restrict.c:15:41:15:44 | *argv | provenance | |
| main.cpp:9:29:9:32 | tests_restrict_main output argument | main.cpp:10:20:10:23 | **argv | provenance | |
| main.cpp:9:29:9:32 | tests_restrict_main output argument | main.cpp:10:20:10:23 | *argv | provenance | |
| main.cpp:10:20:10:23 | **argv | tests.cpp:1074:32:1074:35 | **argv | provenance | |
| main.cpp:10:20:10:23 | *argv | tests.cpp:1074:32:1074:35 | *argv | provenance | |
| overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | provenance | |
| overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:23:45:23:48 | *argv | provenance | |
| test_buffer_overrun.cpp:32:46:32:49 | **argv | test_buffer_overrun.cpp:32:46:32:49 | **argv | provenance | |
| test_buffer_overrun.cpp:32:46:32:49 | **argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | provenance | |
| test_buffer_overrun.cpp:32:46:32:49 | *argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | provenance | |
| tests.cpp:634:19:634:24 | *source | tests.cpp:636:17:636:22 | *source | provenance | |
| tests.cpp:643:19:643:24 | *source | tests.cpp:646:2:646:16 | *... = ... | provenance | |
| tests.cpp:646:2:646:2 | *s [post update] [*home] | tests.cpp:649:14:649:14 | *s [*home] | provenance | |
Expand All @@ -43,35 +27,22 @@ edges
| tests.cpp:649:16:649:19 | *home | tests.cpp:649:14:649:19 | *home | provenance | |
| tests.cpp:1074:32:1074:35 | **argv | tests.cpp:1099:9:1099:15 | *access to array | provenance | |
| tests.cpp:1074:32:1074:35 | **argv | tests.cpp:1100:9:1100:15 | *access to array | provenance | |
| tests.cpp:1074:32:1074:35 | *argv | tests.cpp:1099:9:1099:15 | *access to array | provenance | |
| tests.cpp:1074:32:1074:35 | *argv | tests.cpp:1100:9:1100:15 | *access to array | provenance | |
| tests.cpp:1099:9:1099:15 | *access to array | tests.cpp:634:19:634:24 | *source | provenance | |
| tests.cpp:1100:9:1100:15 | *access to array | tests.cpp:643:19:643:24 | *source | provenance | |
| tests_restrict.c:15:41:15:44 | **argv | tests_restrict.c:15:41:15:44 | **argv | provenance | |
| tests_restrict.c:15:41:15:44 | *argv | tests_restrict.c:15:41:15:44 | *argv | provenance | |
nodes
| main.cpp:6:27:6:30 | **argv | semmle.label | **argv |
| main.cpp:7:33:7:36 | **argv | semmle.label | **argv |
| main.cpp:7:33:7:36 | overflowdesination_main output argument | semmle.label | overflowdesination_main output argument |
| main.cpp:7:33:7:36 | overflowdesination_main output argument | semmle.label | overflowdesination_main output argument |
| main.cpp:8:34:8:37 | **argv | semmle.label | **argv |
| main.cpp:8:34:8:37 | *argv | semmle.label | *argv |
| main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | semmle.label | test_buffer_overrun_main output argument |
| main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | semmle.label | test_buffer_overrun_main output argument |
| main.cpp:9:29:9:32 | **argv | semmle.label | **argv |
| main.cpp:9:29:9:32 | *argv | semmle.label | *argv |
| main.cpp:9:29:9:32 | tests_restrict_main output argument | semmle.label | tests_restrict_main output argument |
| main.cpp:9:29:9:32 | tests_restrict_main output argument | semmle.label | tests_restrict_main output argument |
| main.cpp:10:20:10:23 | **argv | semmle.label | **argv |
| main.cpp:10:20:10:23 | *argv | semmle.label | *argv |
| overflowdestination.cpp:23:45:23:48 | **argv | semmle.label | **argv |
| overflowdestination.cpp:23:45:23:48 | **argv | semmle.label | **argv |
| overflowdestination.cpp:23:45:23:48 | *argv | semmle.label | *argv |
| test_buffer_overrun.cpp:32:46:32:49 | **argv | semmle.label | **argv |
| test_buffer_overrun.cpp:32:46:32:49 | **argv | semmle.label | **argv |
| test_buffer_overrun.cpp:32:46:32:49 | *argv | semmle.label | *argv |
| test_buffer_overrun.cpp:32:46:32:49 | *argv | semmle.label | *argv |
| test_buffer_overrun.cpp:32:46:32:49 | *argv | semmle.label | *argv |
| tests.cpp:634:19:634:24 | *source | semmle.label | *source |
| tests.cpp:636:17:636:22 | *source | semmle.label | *source |
| tests.cpp:643:19:643:24 | *source | semmle.label | *source |
Expand All @@ -81,21 +52,14 @@ nodes
| tests.cpp:649:14:649:19 | *home | semmle.label | *home |
| tests.cpp:649:16:649:19 | *home | semmle.label | *home |
| tests.cpp:1074:32:1074:35 | **argv | semmle.label | **argv |
| tests.cpp:1074:32:1074:35 | *argv | semmle.label | *argv |
| tests.cpp:1099:9:1099:15 | *access to array | semmle.label | *access to array |
| tests.cpp:1100:9:1100:15 | *access to array | semmle.label | *access to array |
| tests_restrict.c:15:41:15:44 | **argv | semmle.label | **argv |
| tests_restrict.c:15:41:15:44 | **argv | semmle.label | **argv |
| tests_restrict.c:15:41:15:44 | *argv | semmle.label | *argv |
| tests_restrict.c:15:41:15:44 | *argv | semmle.label | *argv |
subpaths
| main.cpp:7:33:7:36 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | main.cpp:7:33:7:36 | overflowdesination_main output argument |
| main.cpp:7:33:7:36 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:23:45:23:48 | *argv | main.cpp:7:33:7:36 | overflowdesination_main output argument |
| main.cpp:8:34:8:37 | **argv | test_buffer_overrun.cpp:32:46:32:49 | **argv | test_buffer_overrun.cpp:32:46:32:49 | **argv | main.cpp:8:34:8:37 | test_buffer_overrun_main output argument |
| main.cpp:8:34:8:37 | **argv | test_buffer_overrun.cpp:32:46:32:49 | **argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | main.cpp:8:34:8:37 | test_buffer_overrun_main output argument |
| main.cpp:8:34:8:37 | *argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | main.cpp:8:34:8:37 | test_buffer_overrun_main output argument |
| main.cpp:9:29:9:32 | **argv | tests_restrict.c:15:41:15:44 | **argv | tests_restrict.c:15:41:15:44 | **argv | main.cpp:9:29:9:32 | tests_restrict_main output argument |
| main.cpp:9:29:9:32 | *argv | tests_restrict.c:15:41:15:44 | *argv | tests_restrict.c:15:41:15:44 | *argv | main.cpp:9:29:9:32 | tests_restrict_main output argument |
#select
| tests.cpp:636:2:636:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:636:17:636:22 | *source | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument |
| tests.cpp:649:2:649:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:649:14:649:19 | *home | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument |
Loading