Update docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst

MathiasVP · felicitymay · web-flow · commit f3dd2ebe7d91 · 2023-10-18T14:05:19.000+02:00
Co-authored-by: Felicity Chapman &lt;felicitymay@github.com&gt;
diff --git a/docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst b/docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
@@ -310,8 +310,8 @@ Consider an alternative scenario where ``U`` contains a single ``int`` data, and
   }
 
 Since data is no longer a pointer our ``isAdditionalFlowStep`` doesn't make any sense because it specifies flow to the indirection of the field (and an integer does not have any indirections). So there is no choice about whether to taint the value of the field or its indirection: it has to be the value. However, since we pass the address of ``data`` to ``use_pointer`` the tainted data is what is pointed to by the argument of ``use_pointer`` (since the data pointed to by ``&data`` is exactly ``data``). So to handle this case we need a mix of the two situations above:
-  1. We need to taint the value of the field just like in the :ref:`Using asExpr <using-asExpr>` section.
-  2. We need to select the indirection of the argument just like in the :ref:`Using asIndirectExpr <using-asIndirectExpr>` section.
+  1. We need to taint the value of the field as described the :ref:`Using asExpr <using-asExpr>` section.
+  2. We need to select the indirection of the argument as described in the :ref:`Using asIndirectExpr <using-asIndirectExpr>` section.
 
 With these changes the query looks like:
 

Original file line number	Diff line number	Diff line change
@@ -310,8 +310,8 @@ Consider an alternative scenario where ``U`` contains a single ``int`` data, and
`310`	`310`	`}`
`311`	`311`
`312`	`312`	Since data is no longer a pointer our ``isAdditionalFlowStep`` doesn't make any sense because it specifies flow to the indirection of the field (and an integer does not have any indirections). So there is no choice about whether to taint the value of the field or its indirection: it has to be the value. However, since we pass the address of ``data`` to ``use_pointer`` the tainted data is what is pointed to by the argument of ``use_pointer`` (since the data pointed to by ``&data`` is exactly ``data``). So to handle this case we need a mix of the two situations above:
`313`		- 1. We need to taint the value of the field just like in the :ref:`Using asExpr <using-asExpr>` section.
`314`		- 2. We need to select the indirection of the argument just like in the :ref:`Using asIndirectExpr <using-asIndirectExpr>` section.
	`313`	+ 1. We need to taint the value of the field as described the :ref:`Using asExpr <using-asExpr>` section.
	`314`	+ 2. We need to select the indirection of the argument as described in the :ref:`Using asIndirectExpr <using-asIndirectExpr>` section.
`315`	`315`
`316`	`316`	`With these changes the query looks like:`
`317`	`317`