Skip to content

Possible use-after-free in readConstraintSatisfaction #98667

New issue
New issue
Closed
#98699
Closed
Possible use-after-free in readConstraintSatisfaction#98667
#98699
Labels
clang:frontendLanguage frontend issues, e.g. anything involving "Sema"code-qualityconceptsC++20 concepts
@ahatanak

Description

@ahatanak
ahatanak
opened on Jul 12, 2024

The following code seems to have a bug.

     if (/* IsDiagnostic */Record.readInt()) {
        SourceLocation DiagLocation = Record.readSourceLocation();
        std::string DiagMessage = Record.readString();
        Satisfaction.Details.emplace_back(
            ConstraintExpr, new (Record.getContext())
                                ConstraintSatisfaction::SubstitutionDiagnostic{
                                    DiagLocation, DiagMessage});
      } else
        Satisfaction.Details.emplace_back(ConstraintExpr, Record.readExpr());

std::string DiagMessage gets destructed when it goes out of scope at the end of the if statement, but its storage is being passed to the constructor of SubstitutionDiagnostic. SubstitutionDiagnostic is a typedef of std::pair<SourceLocation, StringRef>, so the StringRef holds a pointer to a deallocated array.

We are seeing a use-after-free crash that seems to be caused by the code above.

Metadata

Metadata

Assignees

No one assigned

    Labels

    clang:frontendLanguage frontend issues, e.g. anything involving "Sema"code-qualityconceptsC++20 concepts

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions