[clang] [clang] Fix heap-use-after-free in TryAnnotateTypeOrScopeTokenAfterScopeSpec (PR #124521)

via cfe-commits cfe-commits at lists.llvm.org
Mon Jan 27 00:21:38 PST 2025 

https://github.com/Shivam7-1 created https://github.com/llvm/llvm-project/pull/124521

issue link: https://issues.oss-fuzz.com/issues/392279308
in this pull request addresses a heap-use-after-free vulnerability in the TryAnnotateTypeOrScopeTokenAfterScopeSpec function by adding a check to ensure that SS (CXXScopeSpec) is valid before using it and ensuring proper management of pointers.



>From 3c3dbfa63c27f4c7cd589a731845f9489f8e2b64 Mon Sep 17 00:00:00 2001
From: Shivam7-1 <55046031+Shivam7-1 at users.noreply.github.com>
Date: Mon, 27 Jan 2025 13:48:33 +0530
Subject: [PATCH] fix Heap-use-after-free

---
 clang/lib/Parse/Parser.cpp | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/clang/lib/Parse/Parser.cpp b/clang/lib/Parse/Parser.cpp
index 0710542f5e938e..4672199fdec584 100644
--- a/clang/lib/Parse/Parser.cpp
+++ b/clang/lib/Parse/Parser.cpp
@@ -2121,14 +2121,14 @@ bool Parser::TryAnnotateTypeOrScopeToken(
 /// Try to annotate a type or scope token, having already parsed an
 /// optional scope specifier. \p IsNewScope should be \c true unless the scope
 /// specifier was extracted from an existing tok::annot_cxxscope annotation.
-bool Parser::TryAnnotateTypeOrScopeTokenAfterScopeSpec(
-    CXXScopeSpec &SS, bool IsNewScope,
-    ImplicitTypenameContext AllowImplicitTypename) {
+bool Parser::TryAnnotateTypeOrScopeTokenAfterScopeSpec(CXXScopeSpec &SS, bool IsNewScope,ImplicitTypenameContext AllowImplicitTypename) {
+  if (!SS.isValid()) {
+    return false; // handle the error appropriately
+  }
   if (Tok.is(tok::identifier)) {
     // Determine whether the identifier is a type name.
     if (ParsedType Ty = Actions.getTypeName(
-            *Tok.getIdentifierInfo(), Tok.getLocation(), getCurScope(), &SS,
-            false, NextToken().is(tok::period), nullptr,
+            *Tok.getIdentifierInfo(), Tok.getLocation(), getCurScope(), &SS,/*WantNontrivialTypeSourceInfo=*/false, NextToken().is(tok::period), nullptr,
             /*IsCtorOrDtorName=*/false,
             /*NonTrivialTypeSourceInfo=*/true,
             /*IsClassTemplateDeductionContext=*/true, AllowImplicitTypename)) {

More information about the cfe-commits mailing list