Experimental and rather quickly put together query for (non-constant) multiplication results that are used as the size for an allocation. This is a practically motivated query intended to be a fast way to find a common pattern for potential vulnerabilities - e.g. it showed some promise on VLC.

Related:

• cpp/integer-multiplication-cast-to-long "Multiplication result converted to larger type"
• cpp/uncontrolled-allocation-size "Overflow in uncontrolled allocation size"

TODO now:

• review real world results (for potential; they don't need to be perfect for experimental) and set query precision
• write a proper violation message and query headers
• add some tests
• add basic qhelp with an example

TODO later (i.e. not required for merging into experimental):

• apply range analysis on the multiplication to build confidence it may actually overflow? (@MathiasVP said: "There’s nothing inherently wrong with the result of a multiplication flowing into an allocation, so it would probably need to be more constrained." ... "If we preserve interesting results when we restrict the multiplications to be potentially overflowing I think it could be a good experimental query")
• apply taint tracking on the multiplication to ensure its user controlled??? (but this might just turn the query results into a subset of cpp/uncontrolled-allocation-size, i.e. remove many of the interesting results)
• we've also looked at similar cases that flow into a call to memset. In the long run, perhaps 'allocation' could be generalized to something like 'size of any buffer operation'?

@jbj I'm interested in your thoughts on this. Note that the target is only experimental, at least for now.