[clang] [clang][parse] Fix UAF in MaybeDestroyTemplates (PR #77698)
via cfe-commits
cfe-commits at lists.llvm.org
Wed Jan 10 14:27:35 PST 2024
https://github.com/DavidKorczynski created https://github.com/llvm/llvm-project/pull/77698
There are cases where `Tok.is(tok::eof)` is true and `PP.mightHavePendingAnnotationTokens()` is also true, and in these cases a UAF may happen on the destroyed template IDs.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23204
Am not sure if a unit-test is needed? I can add one in similar style to https://github.com/llvm/llvm-project/pull/76676 but am not sure if this is actually desired for OSS-Fuzz issues? In the end OSS-Fuzz will catch the regressions in case and will also verify the UAF is fixed.
>From 16984971e735cc11b93f26f9ec588148f14ba427 Mon Sep 17 00:00:00 2001
From: David Korczynski <david at adalogics.com>
Date: Wed, 10 Jan 2024 14:22:54 -0800
Subject: [PATCH] [clang][parse] Fix UAF in MaybeDestroyTemplates
There are cases where `Tok.is(tok::eof)` is true and
`PP.mightHavePendingAnnotationTokens()` is also true, and in these cases
a UAF may happen on the destroyed template IDs.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23204
Signed-off-by: David Korczynski <david at adalogics.com>
---
clang/include/clang/Parse/Parser.h | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/clang/include/clang/Parse/Parser.h b/clang/include/clang/Parse/Parser.h
index 186dbb77085856..5531234a6ea084 100644
--- a/clang/include/clang/Parse/Parser.h
+++ b/clang/include/clang/Parse/Parser.h
@@ -311,8 +311,7 @@ class Parser : public CodeCompletionHandler {
SmallVector<TemplateIdAnnotation *, 16> TemplateIds;
void MaybeDestroyTemplateIds() {
- if (!TemplateIds.empty() &&
- (Tok.is(tok::eof) || !PP.mightHavePendingAnnotationTokens()))
+ if (!TemplateIds.empty() && !PP.mightHavePendingAnnotationTokens())
DestroyTemplateIds();
}
void DestroyTemplateIds();
More information about the cfe-commits
mailing list