CPP: Fix crement operations on pointers.

geoffw0 · geoffw0 · commit 91893aede060 · 2018-08-28T16:21:23.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/security/Overflow.qll b/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
@@ -63,7 +63,7 @@ predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
   exists(LocalScopeVariable v | use.getTarget() = v |
     // overflow possible if large
     (e instanceof AddExpr and not guardedLesser(e, varUse(v))) or
-    (e instanceof IncrementOperation and not guardedLesser(e, varUse(v))) or     
+    (e instanceof IncrementOperation and not guardedLesser(e, varUse(v)) and v.getType().getUnspecifiedType() instanceof IntegralType) or     
     // overflow possible if large or small
     (e instanceof MulExpr and
       not (guardedLesser(e, varUse(v)) and guardedGreater(e, varUse(v))))
@@ -77,7 +77,7 @@ predicate missingGuardAgainstUnderflow(Operation e, VariableAccess use) {
     // underflow possible if use is left operand and small
     (use = e.(SubExpr).getLeftOperand() and not guardedGreater(e, varUse(v))) or
     // underflow possible if small
-    (e instanceof DecrementOperation and not guardedGreater(e, varUse(v))) or
+    (e instanceof DecrementOperation and not guardedGreater(e, varUse(v)) and v.getType().getUnspecifiedType() instanceof IntegralType) or
     // underflow possible if large or small
     (e instanceof MulExpr and
       not (guardedLesser(e, varUse(v)) and guardedGreater(e, varUse(v))))
