[clang] [clang] Fix heap-use-after-free in TryAnnotateTypeOrScopeTokenAfterScopeSpec (PR #124521)

via cfe-commits cfe-commits at lists.llvm.org
Mon Jan 27 00:23:14 PST 2025 

llvmbot wrote:


<!--LLVM PR SUMMARY COMMENT-->

@llvm/pr-subscribers-clang

Author: None (Shivam7-1)

<details>
<summary>Changes</summary>

issue link: https://issues.oss-fuzz.com/issues/392279308
in this pull request addresses a heap-use-after-free vulnerability in the TryAnnotateTypeOrScopeTokenAfterScopeSpec function by adding a check to ensure that SS (CXXScopeSpec) is valid before using it and ensuring proper management of pointers.



---
Full diff: https://github.com/llvm/llvm-project/pull/124521.diff


1 Files Affected:

- (modified) clang/lib/Parse/Parser.cpp (+5-5) 


``````````diff
diff --git a/clang/lib/Parse/Parser.cpp b/clang/lib/Parse/Parser.cpp
index 0710542f5e938e..4672199fdec584 100644
--- a/clang/lib/Parse/Parser.cpp
+++ b/clang/lib/Parse/Parser.cpp
@@ -2121,14 +2121,14 @@ bool Parser::TryAnnotateTypeOrScopeToken(
 /// Try to annotate a type or scope token, having already parsed an
 /// optional scope specifier. \p IsNewScope should be \c true unless the scope
 /// specifier was extracted from an existing tok::annot_cxxscope annotation.
-bool Parser::TryAnnotateTypeOrScopeTokenAfterScopeSpec(
-    CXXScopeSpec &SS, bool IsNewScope,
-    ImplicitTypenameContext AllowImplicitTypename) {
+bool Parser::TryAnnotateTypeOrScopeTokenAfterScopeSpec(CXXScopeSpec &SS, bool IsNewScope,ImplicitTypenameContext AllowImplicitTypename) {
+  if (!SS.isValid()) {
+    return false; // handle the error appropriately
+  }
   if (Tok.is(tok::identifier)) {
     // Determine whether the identifier is a type name.
     if (ParsedType Ty = Actions.getTypeName(
-            *Tok.getIdentifierInfo(), Tok.getLocation(), getCurScope(), &SS,
-            false, NextToken().is(tok::period), nullptr,
+            *Tok.getIdentifierInfo(), Tok.getLocation(), getCurScope(), &SS,/*WantNontrivialTypeSourceInfo=*/false, NextToken().is(tok::period), nullptr,
             /*IsCtorOrDtorName=*/false,
             /*NonTrivialTypeSourceInfo=*/true,
             /*IsClassTemplateDeductionContext=*/true, AllowImplicitTypename)) {

``````````

</details>


https://github.com/llvm/llvm-project/pull/124521

More information about the cfe-commits mailing list