C++: Make it possible for 'getFirstFormatArgumentIndex' to sometimes have no result.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll

@@ -10,6 +10,23 @@ import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
 import semmle.code.cpp.models.interfaces.NonThrowing
 
+/**
+ * A formatting function that takes its format arguments through a `va_list` parameter.
+ */
+abstract private class VaListFormattingFunction extends FormattingFunction {
+  final override int getFirstFormatArgumentIndex() { none() }
+
+  final int getVaListParameterIndex() { result = this.getNumberOfParameters() - 1 }
+
+  private predicate hasLocaleParameter() { this.getName().matches("%\\_l") }
+
+  final override int getFormatParameterIndex() {
+    if this.hasLocaleParameter()
+    then result = this.getVaListParameterIndex() - 2
+    else result = this.getVaListParameterIndex() - 1
+  }
+}
+
 /**
  * The standard functions `printf`, `wprintf` and their glib variants.
  */

cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll

@@ -42,21 +42,6 @@ private Type getAFormatterWideTypeOrDefault() {
  * A standard library function that uses a `printf`-like formatting string.
  */
 abstract class FormattingFunction extends ArrayFunction, TaintFunction {
-  int firstFormatArgumentIndex;
-
-  FormattingFunction() {
-    firstFormatArgumentIndex > 0 and
-    if this.hasDefinition()
-    then firstFormatArgumentIndex = this.getDefinition().getNumberOfParameters()
-    else
-      if this instanceof BuiltInFunction
-      then firstFormatArgumentIndex = this.getNumberOfParameters()
-      else
-        forex(FunctionDeclarationEntry fde | fde = this.getAnExplicitDeclarationEntry() |
-          firstFormatArgumentIndex = fde.getNumberOfParameters()
-        )
-  }
-
   /** Gets the position at which the format parameter occurs. */
   abstract int getFormatParameterIndex();
 
@@ -135,8 +120,21 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction {
    * Gets the position of the first format argument, corresponding with
    * the first format specifier in the format string. We ignore all
    * implicit function definitions.
+   *
+   * There is no result if the formatting function takes a `va_list` argument.
    */
-  int getFirstFormatArgumentIndex() { result = firstFormatArgumentIndex }
+  int getFirstFormatArgumentIndex() {
+    result > 0 and
+    if this.hasDefinition()
+    then result = this.getDefinition().getNumberOfParameters()
+    else
+      if this instanceof BuiltInFunction
+      then result = this.getNumberOfParameters()
+      else
+        forex(FunctionDeclarationEntry fde | fde = this.getAnExplicitDeclarationEntry() |
+          result = fde.getNumberOfParameters()
+        )
+  }
 
   /**
    * Gets the position of the buffer size argument, if any.