Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 05:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Var: copy Location to stack, to fix use-after-free crash bug

Browse source 
The AssignExpr constructor may free the "init" pointer via
AssignExpr::TypeCheck(), resulting in a crash due to use-after-free.
To fix the crash bug, this patch copies the `Location` to the stack
instead of using a potentially-dangling pointer.
This commit is contained in:
Max Kellermann 2020-02-27 11:12:08 +01:00
parent 528cf11a5c
commit 7be3641f1d
1 changed files with 5 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/Var.cc
View file

@ -240,12 +240,15 @@ IntrusivePtr<Stmt> add_local(IntrusivePtr<ID> id, IntrusivePtr<BroType> t, init_
if ( c != INIT_FULL ) if ( c != INIT_FULL )
id->Error("can't use += / -= for initializations of local variables"); id->Error("can't use += / -= for initializations of local variables");
const Location* location = init->GetLocationInfo(); // copy the Location to the stack, because AssignExpr
// may free "init"
const Location location = init->GetLocationInfo() != nullptr ? *init->GetLocationInfo() : no_location;
Expr* name_expr = new NameExpr(IntrusivePtr{id}.release(), dt == VAR_CONST); Expr* name_expr = new NameExpr(IntrusivePtr{id}.release(), dt == VAR_CONST);
auto stmt = auto stmt =
make_intrusive<ExprStmt>(new AssignExpr(name_expr, init.release(), 0, 0, make_intrusive<ExprStmt>(new AssignExpr(name_expr, init.release(), 0, 0,
id->Attrs() ? id->Attrs()->Attrs() : 0 )); id->Attrs() ? id->Attrs()->Attrs() : 0 ));
stmt->SetLocationInfo(location); stmt->SetLocationInfo(&location);
return stmt; return stmt;
} }