[clang] [clang][parse] Fix UAF in MaybeDestroyTemplates (PR #77698)
via cfe-commits
cfe-commits at lists.llvm.org
Wed Jan 10 14:28:03 PST 2024
llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT-->
@llvm/pr-subscribers-clang
Author: None (DavidKorczynski)
<details>
<summary>Changes</summary>
There are cases where `Tok.is(tok::eof)` is true and `PP.mightHavePendingAnnotationTokens()` is also true, and in these cases a UAF may happen on the destroyed template IDs.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23204
Am not sure if a unit-test is needed? I can add one in similar style to https://github.com/llvm/llvm-project/pull/76676 but am not sure if this is actually desired for OSS-Fuzz issues? In the end OSS-Fuzz will catch the regressions in case and will also verify the UAF is fixed.
---
Full diff: https://github.com/llvm/llvm-project/pull/77698.diff
1 Files Affected:
- (modified) clang/include/clang/Parse/Parser.h (+1-2)
``````````diff
diff --git a/clang/include/clang/Parse/Parser.h b/clang/include/clang/Parse/Parser.h
index 186dbb77085856..5531234a6ea084 100644
--- a/clang/include/clang/Parse/Parser.h
+++ b/clang/include/clang/Parse/Parser.h
@@ -311,8 +311,7 @@ class Parser : public CodeCompletionHandler {
SmallVector<TemplateIdAnnotation *, 16> TemplateIds;
void MaybeDestroyTemplateIds() {
- if (!TemplateIds.empty() &&
- (Tok.is(tok::eof) || !PP.mightHavePendingAnnotationTokens()))
+ if (!TemplateIds.empty() && !PP.mightHavePendingAnnotationTokens())
DestroyTemplateIds();
}
void DestroyTemplateIds();
``````````
</details>
https://github.com/llvm/llvm-project/pull/77698
More information about the cfe-commits
mailing list