[clang] [Clang][Sema] Fix NULL dereferences for invalid references (PR #77703)

via cfe-commits cfe-commits at lists.llvm.org
Wed Jan 10 15:38:47 PST 2024 

llvmbot wrote:


<!--LLVM PR SUMMARY COMMENT-->

@llvm/pr-subscribers-clang

Author: None (DavidKorczynski)

<details>
<summary>Changes</summary>

OSS-Fuzz has reported for a bit of time (since early 2020) a couple of NULL dereferences due to the Info reference becoming a reference to a NULL pointer.

Am not entirely sure if this is the desired fix since NULL checking on reference may not be considered a great practice, but am submitting for review in case it's acceptable.

Fixes:
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20946
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20938

---
Full diff: https://github.com/llvm/llvm-project/pull/77703.diff


2 Files Affected:

- (modified) clang/include/clang/Sema/ParsedAttr.h (+6-1) 
- (modified) clang/lib/Sema/SemaType.cpp (+3) 


``````````diff
diff --git a/clang/include/clang/Sema/ParsedAttr.h b/clang/include/clang/Sema/ParsedAttr.h
index 8c0edca1ebc5ee..70877f8c45cec2 100644
--- a/clang/include/clang/Sema/ParsedAttr.h
+++ b/clang/include/clang/Sema/ParsedAttr.h
@@ -342,7 +342,12 @@ class ParsedAttr final
     return IsProperty;
   }
 
-  bool isInvalid() const { return Invalid; }
+  bool isInvalid() const {
+    if (&Info == NULL) {
+      Invalid = true;
+    }
+    return Invalid;
+  }
   void setInvalid(bool b = true) const { Invalid = b; }
 
   bool hasProcessingCache() const { return HasProcessingCache; }
diff --git a/clang/lib/Sema/SemaType.cpp b/clang/lib/Sema/SemaType.cpp
index a376f20fa4f4e0..40abb3a197faa5 100644
--- a/clang/lib/Sema/SemaType.cpp
+++ b/clang/lib/Sema/SemaType.cpp
@@ -4240,6 +4240,9 @@ IdentifierInfo *Sema::getNSErrorIdent() {
 /// attribute list.
 static bool hasNullabilityAttr(const ParsedAttributesView &attrs) {
   for (const ParsedAttr &AL : attrs) {
+    if (AL.isInvalid()) {
+      continue;
+    }
     if (AL.getKind() == ParsedAttr::AT_TypeNonNull ||
         AL.getKind() == ParsedAttr::AT_TypeNullable ||
         AL.getKind() == ParsedAttr::AT_TypeNullableResult ||

``````````

</details>


https://github.com/llvm/llvm-project/pull/77703

More information about the cfe-commits mailing list