C++: fix assignment to *iter++

Robert Marsh · Robert Marsh · commit 108cc9ea47e0 · 2020-10-13T16:19:15.000-07:00
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
@@ -807,6 +807,12 @@ module FlowVar_internal {
       def.getAnUltimateDefiningValue(iterator) = c and
       result = def.getAUse(iterator)
     )
+    or
+    exists(Call crement |
+      crement = result and
+      [crement.getQualifier(), crement.getArgument(0)] = getAnIteratorAccess(collection) and
+      crement.getTarget().getName() = ["operator++", "operator--"]
+    )
   }
 
   class IteratorParameter extends Parameter {
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -7054,6 +7054,8 @@
 | vector.cpp:402:35:402:37 | v12 | vector.cpp:402:39:402:43 | call to begin | TAINT |
 | vector.cpp:402:39:402:43 | call to begin | vector.cpp:403:3:403:5 | i12 |  |
 | vector.cpp:402:39:402:43 | call to begin | vector.cpp:404:3:404:5 | i12 |  |
+| vector.cpp:403:2:403:2 | call to operator* [post update] | vector.cpp:405:7:405:9 | v12 |  |
+| vector.cpp:403:2:403:2 | call to operator* [post update] | vector.cpp:415:1:415:1 | v12 |  |
 | vector.cpp:403:2:403:11 | ... = ... | vector.cpp:403:2:403:2 | call to operator* [post update] |  |
 | vector.cpp:403:3:403:5 | i12 | vector.cpp:403:6:403:6 | call to operator++ |  |
 | vector.cpp:403:3:403:5 | ref arg i12 | vector.cpp:404:3:404:5 | i12 |  |
@@ -7071,6 +7073,8 @@
 | vector.cpp:407:35:407:37 | ref arg v13 | vector.cpp:415:1:415:1 | v13 |  |
 | vector.cpp:407:35:407:37 | v13 | vector.cpp:407:39:407:43 | call to begin | TAINT |
 | vector.cpp:407:39:407:43 | call to begin | vector.cpp:408:3:408:5 | i13 |  |
+| vector.cpp:408:2:408:2 | call to operator* [post update] | vector.cpp:409:7:409:9 | v13 |  |
+| vector.cpp:408:2:408:2 | call to operator* [post update] | vector.cpp:415:1:415:1 | v13 |  |
 | vector.cpp:408:2:408:18 | ... = ... | vector.cpp:408:2:408:2 | call to operator* [post update] |  |
 | vector.cpp:408:3:408:5 | i13 | vector.cpp:408:6:408:6 | call to operator++ |  |
 | vector.cpp:408:6:408:6 | call to operator++ | vector.cpp:408:2:408:2 | call to operator* | TAINT |
@@ -7084,6 +7088,8 @@
 | vector.cpp:411:39:411:43 | call to begin | vector.cpp:413:3:413:5 | i14 |  |
 | vector.cpp:412:2:412:4 | i14 | vector.cpp:412:5:412:5 | call to operator++ |  |
 | vector.cpp:412:2:412:4 | ref arg i14 | vector.cpp:413:3:413:5 | i14 |  |
+| vector.cpp:413:2:413:2 | call to operator* [post update] | vector.cpp:414:7:414:9 | v14 |  |
+| vector.cpp:413:2:413:2 | call to operator* [post update] | vector.cpp:415:1:415:1 | v14 |  |
 | vector.cpp:413:2:413:18 | ... = ... | vector.cpp:413:2:413:2 | call to operator* [post update] |  |
 | vector.cpp:413:3:413:5 | i14 | vector.cpp:413:6:413:6 | call to operator++ |  |
 | vector.cpp:413:6:413:6 | call to operator++ | vector.cpp:413:2:413:2 | call to operator* | TAINT |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -654,3 +654,5 @@
 | vector.cpp:392:7:392:8 | v9 | vector.cpp:389:8:389:13 | call to source |
 | vector.cpp:400:7:400:9 | v11 | vector.cpp:399:38:399:43 | call to source |
 | vector.cpp:405:7:405:9 | v12 | vector.cpp:404:9:404:14 | call to source |
+| vector.cpp:409:7:409:9 | v13 | vector.cpp:408:11:408:16 | call to source |
+| vector.cpp:414:7:414:9 | v14 | vector.cpp:413:11:413:16 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -380,3 +380,5 @@
 | vector.cpp:392:7:392:8 | vector.cpp:389:8:389:13 | AST only |
 | vector.cpp:400:7:400:9 | vector.cpp:399:38:399:43 | AST only |
 | vector.cpp:405:7:405:9 | vector.cpp:404:9:404:14 | AST only |
+| vector.cpp:409:7:409:9 | vector.cpp:408:11:408:16 | AST only |
+| vector.cpp:414:7:414:9 | vector.cpp:413:11:413:16 | AST only |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -406,10 +406,10 @@ void test_vector_output_iterator(int b) {
 
 	std::vector<int>::iterator i13 = v13.begin();
 	*i13++ = source();
-	sink(v13); // tainted [NOT DETECTED]
+	sink(v13); // tainted [NOT DETECTED by IR]
 
 	std::vector<int>::iterator i14 = v14.begin();
 	i14++;
 	*i14++ = source();
-	sink(v14); // tainted [NOT DETECTED]
+	sink(v14); // tainted [NOT DETECTED by IR]
 }

Original file line number	Diff line number	Diff line change
`@@ -807,6 +807,12 @@ module FlowVar_internal {`
`807`	`807`	`def.getAnUltimateDefiningValue(iterator) = c and`
`808`	`808`	`result = def.getAUse(iterator)`
`809`	`809`	`)`
	`810`	`+ or`
	`811`	`+ exists(Call crement \|`
	`812`	`+ crement = result and`
	`813`	`+ [crement.getQualifier(), crement.getArgument(0)] = getAnIteratorAccess(collection) and`
	`814`	`+ crement.getTarget().getName() = ["operator++", "operator--"]`
	`815`	`+ )`
`810`	`816`	`}`
`811`	`817`
`812`	`818`	`class IteratorParameter extends Parameter {`