C++: TaintedAllocationSize

d10c · d10c · commit 07189fee2081 · 2025-07-11T14:42:25.000+02:00
diff --git a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
@@ -92,8 +92,10 @@ module TaintedAllocationSizeConfig implements DataFlow::ConfigSig {
     any(HeuristicAllocationFunction f).getAParameter() = node.asParameter()
   }
 
-  predicate observeDiffInformedIncrementalMode() {
-    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 103 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql@105:8:105:12)
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(Expr alloc | result = alloc.getLocation() | allocSink(alloc, sink))
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -92,8 +92,10 @@ module TaintedAllocationSizeConfig implements DataFlow::ConfigSig {`
`92`	`92`	`any(HeuristicAllocationFunction f).getAParameter() = node.asParameter()`
`93`	`93`	`}`
`94`	`94`
`95`		`- predicate observeDiffInformedIncrementalMode() {`
`96`		`- any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 103 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql@105:8:105:12)`
	`95`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`96`	`+`
	`97`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`98`	`+ exists(Expr alloc \| result = alloc.getLocation() \| allocSink(alloc, sink))`
`97`	`99`	`}`
`98`	`100`	`}`
`99`	`101`