Adding a fix and test case for a new false positive, also added a false positive we currently do not have a solution for, marked as SPURIOUS.

Author: bdrodes

cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql

@@ -364,6 +364,11 @@ module OperationToYearAssignmentConfig implements DataFlow::ConfigSig {
     )
     or
     isLeapYearCheckSink(n)
+    or
+    // If as the flow progresses, the value holding a dangerous operation result
+    // is apparently being passed by address to some function, it is more than likely
+    // intended to be modified, and therefore, the definition is killed.
+    exists(Call c | c.getAnArgument().(AddressOfExpr).getAnOperand() = n.asIndirectExpr())
   }
 
   /** Block flow out of an operation source to get the "closest" operation to the sink */

cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected

@@ -21,6 +21,9 @@
 | test.cpp:1467:2:1467:15 | ... = ... | test.cpp:1464:2:1464:10 | ... += ... | test.cpp:1467:2:1467:15 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
 | test.cpp:1497:2:1497:22 | ... += ... | test.cpp:1497:2:1497:22 | ... += ... | test.cpp:1497:2:1497:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
 | test.cpp:1505:2:1505:22 | ... += ... | test.cpp:1505:2:1505:22 | ... += ... | test.cpp:1505:2:1505:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1584:2:1584:22 | ... += ... | test.cpp:1584:2:1584:22 | ... += ... | test.cpp:1584:2:1584:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1596:2:1596:22 | ... += ... | test.cpp:1596:2:1596:22 | ... += ... | test.cpp:1596:2:1596:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1609:2:1609:22 | ... += ... | test.cpp:1609:2:1609:22 | ... += ... | test.cpp:1609:2:1609:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
 edges
 | test.cpp:813:21:813:40 | ... + ... | test.cpp:813:2:813:40 | ... = ... | provenance |  |
 | test.cpp:818:13:818:24 | ... + ... | test.cpp:818:2:818:24 | ... = ... | provenance |  |
@@ -152,4 +155,8 @@ nodes
 | test.cpp:1505:2:1505:22 | ... += ... | semmle.label | ... += ... |
 | test.cpp:1551:2:1551:22 | ... += ... | semmle.label | ... += ... |
 | test.cpp:1562:2:1562:22 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1573:2:1573:22 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1584:2:1584:22 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1596:2:1596:22 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1609:2:1609:22 | ... += ... | semmle.label | ... += ... |
 subpaths

cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp

@@ -1605,3 +1605,28 @@ void odd_leap_year_check3(tm timeinfo){
 }
 
 
+void date_adjusted_through_mkgmtime(tm timeinfo){
+	timeinfo.tm_year += 1; // $ SPURIOUS: Alert[cpp/microsoft/public/leap-year/unchecked-after-arithmetic-year-modification]
+
+	// Using an odd sytle of checking divisible by 4 presumably as an optimization trick
+	// but also check unrelated conditions on the year as an optimization to rule out irrelevant years
+	// for gregorian leap years
+	if(timeinfo.tm_mon == 2 && (timeinfo.tm_year % 4) == 0 && (timeinfo.tm_year <= 1582 || timeinfo.tm_year % 100 != 0 || timeinfo.tm_year % 400 == 0))
+	{
+		// do something
+	}
+}
+
+bool data_killer(WORD *d){
+	(*d) = 1;
+	return true;
+}
+
+void interproc_data_killer1(tm timeinfo, WORD delta){
+	WORD year = delta + 1;
+
+	if(data_killer(&year)){
+		timeinfo.tm_year = year; 
+	}
+}
+