[clang] [Clang][Sema] Fix NULL dereferences for invalid references (PR #77703)

via cfe-commits cfe-commits at lists.llvm.org
Wed Jan 10 15:38:17 PST 2024 

https://github.com/DavidKorczynski created https://github.com/llvm/llvm-project/pull/77703

OSS-Fuzz has reported for a bit of time (since early 2020) a couple of NULL dereferences due to the Info reference becoming a reference to a NULL pointer.

Am not entirely sure if this is the desired fix since NULL checking on reference may not be considered a great practice, but am submitting for review in case it's acceptable.

Fixes:
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20946
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20938

>From a5381b9a29ba20f22499307a1303ba61dffc0a50 Mon Sep 17 00:00:00 2001
From: David Korczynski <david at adalogics.com>
Date: Wed, 10 Jan 2024 15:35:04 -0800
Subject: [PATCH] [Clang][Sema] Fix NULL dereferences for invalid references

OSS-Fuzz has reported for a bit of time (since early 2020) a couple of
NULL dereferences due to the Info reference becoming a reference to a
NULL pointer.

Am not entirely sure if this is the desired fix since NULL checking on
reference may not be considered a great practice, but am submitting for
review in case it's acceptable.

Fixes:
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20946
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20938

Signed-off-by: David Korczynski <david at adalogics.com>
---
 clang/include/clang/Sema/ParsedAttr.h | 7 ++++++-
 clang/lib/Sema/SemaType.cpp           | 3 +++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/clang/include/clang/Sema/ParsedAttr.h b/clang/include/clang/Sema/ParsedAttr.h
index 8c0edca1ebc5ee..70877f8c45cec2 100644
--- a/clang/include/clang/Sema/ParsedAttr.h
+++ b/clang/include/clang/Sema/ParsedAttr.h
@@ -342,7 +342,12 @@ class ParsedAttr final
     return IsProperty;
   }
 
-  bool isInvalid() const { return Invalid; }
+  bool isInvalid() const {
+    if (&Info == NULL) {
+      Invalid = true;
+    }
+    return Invalid;
+  }
   void setInvalid(bool b = true) const { Invalid = b; }
 
   bool hasProcessingCache() const { return HasProcessingCache; }
diff --git a/clang/lib/Sema/SemaType.cpp b/clang/lib/Sema/SemaType.cpp
index a376f20fa4f4e0..40abb3a197faa5 100644
--- a/clang/lib/Sema/SemaType.cpp
+++ b/clang/lib/Sema/SemaType.cpp
@@ -4240,6 +4240,9 @@ IdentifierInfo *Sema::getNSErrorIdent() {
 /// attribute list.
 static bool hasNullabilityAttr(const ParsedAttributesView &attrs) {
   for (const ParsedAttr &AL : attrs) {
+    if (AL.isInvalid()) {
+      continue;
+    }
     if (AL.getKind() == ParsedAttr::AT_TypeNonNull ||
         AL.getKind() == ParsedAttr::AT_TypeNullable ||
         AL.getKind() == ParsedAttr::AT_TypeNullableResult ||

More information about the cfe-commits mailing list