C++: Block flow through indirect flow through pointer-arithmetic instructions when following flow for the allocation size.

MathiasVP · MathiasVP · commit 9df5e43faec7 · 2023-10-03T15:31:50.000+02:00
diff --git a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll
@@ -284,10 +284,20 @@ private module Config implements ProductFlow::StateConfigSig {
     pointerAddInstructionHasBounds0(_, allocSink, sizeSink, sizeAddend)
   }
 
+  private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+
   predicate isBarrier2(DataFlow::Node node, FlowState2 state) {
     node = SizeBarrier::getABarrierNode(state)
   }
 
+  predicate isBarrier2(DataFlow::Node node) {
+    exists(Operand operand, PointerAddInstruction add |
+      node.(IndirectOperand).hasOperandAndIndirectionIndex(operand, _) and
+      add.getLeftOperand() = operand and
+      add.getRight().(ConstantInstruction).getValue() != "0"
+    )
+  }
+
   predicate isBarrierIn1(DataFlow::Node node) { isSourcePair(node, _, _, _) }
 
   predicate isBarrierOut2(DataFlow::Node node) {
