C++: Add barrier for array lookups in 'cpp/double-free' and 'cpp/use-after-free'.

MathiasVP · MathiasVP · commit 0543ed115e7e · 2023-12-15T14:57:17.000Z
diff --git a/cpp/ql/src/Critical/FlowAfterFree.qll b/cpp/ql/src/Critical/FlowAfterFree.qll
@@ -87,6 +87,8 @@ module FlowFromFree<isSinkSig/2 isASink, isExcludedSig/2 isExcluded> {
       |
         e = any(StoreInstruction store).getDestinationAddress().getUnconvertedResultExpression()
       )
+      or
+      n.asExpr() instanceof ArrayExpr
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -87,6 +87,8 @@ module FlowFromFree<isSinkSig/2 isASink, isExcludedSig/2 isExcluded> {`
`87`	`87`	`\|`
`88`	`88`	`e = any(StoreInstruction store).getDestinationAddress().getUnconvertedResultExpression()`
`89`	`89`	`)`
	`90`	`+ or`
	`91`	`+ n.asExpr() instanceof ArrayExpr`
`90`	`92`	`}`
`91`	`93`	`}`
`92`	`94`