From dcfcb048dd79b8899bfb1731c8649e7f82f5c460 Mon Sep 17 00:00:00 2001
From: Sauyon Lee <s@uyon.co>
Date: Thu, 13 Sep 2018 15:19:21 -0700
Subject: [PATCH 1/2] If a destination buffer has size 0, there's probably some
 hackery going on

---
 cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
index 1638f14f15f9..48de3fad8df3 100644
--- a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
@@ -21,4 +21,5 @@ from BufferWrite bw, int destSize
 where bw.hasExplicitLimit()                     // has an explicit size limit
   and destSize = getBufferSize(bw.getDest(), _)
   and (bw.getExplicitLimit() > destSize)        // but it's larger than the destination
+  and not destSize = 0                          // probably just a hack if the destination size is 0
 select bw, "This '" + bw.getBWDesc() + "' operation is limited to " + bw.getExplicitLimit() + " bytes but the destination is only " + destSize + " bytes."

From de7a35575b3ba5c03b4061e093e2eee26c935ba6 Mon Sep 17 00:00:00 2001
From: Sauyon Lee <s@uyon.co>
Date: Mon, 8 Oct 2018 02:30:13 -0700
Subject: [PATCH 2/2] Documentation wording

---
 cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
index 48de3fad8df3..24a553dd0299 100644
--- a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
@@ -21,5 +21,5 @@ from BufferWrite bw, int destSize
 where bw.hasExplicitLimit()                     // has an explicit size limit
   and destSize = getBufferSize(bw.getDest(), _)
   and (bw.getExplicitLimit() > destSize)        // but it's larger than the destination
-  and not destSize = 0                          // probably just a hack if the destination size is 0
+  and not destSize = 0                          // probably a variable-size member if the destination size is 0
 select bw, "This '" + bw.getBWDesc() + "' operation is limited to " + bw.getExplicitLimit() + " bytes but the destination is only " + destSize + " bytes."