Magic-Mirror/llvm-capstone
1
0
Fork 0
mirror of https://github.com/capstone-engine/llvm-capstone.git synced 2025-02-13 13:45:16 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

PR23057: fix use-after-free due to local token buffer in ParseCXXAmbiguousParenExpression, by Dmitry Polukhin

Browse Source 
Differential Revision: http://reviews.llvm.org/D16572
A    test/Parser/cxx-ambig-paren-expr-asan.cpp
M    lib/Parse/ParseExprCXX.cpp

llvm-svn: 259750
This commit is contained in:
Alexey Bataev 2016-02-04 04:22:09 +00:00
parent f650441b04
commit 703a93c4e6
2 changed files with 28 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
clang/lib/Parse/ParseExprCXX.cpp
View File

@ -3081,6 +3081,14 @@ Parser::ParseCXXAmbiguousParenExpression(ParenParseOption &ExprType,
ParseAs = NotCastExpr ? SimpleExpr : CastExpr; ParseAs = NotCastExpr ? SimpleExpr : CastExpr;
} }
// Create a fake EOF to mark end of Toks buffer.
Token AttrEnd;
AttrEnd.startToken();
AttrEnd.setKind(tok::eof);
AttrEnd.setLocation(Tok.getLocation());
AttrEnd.setEofData(Toks.data());
Toks.push_back(AttrEnd);
// The current token should go after the cached tokens. // The current token should go after the cached tokens.
Toks.push_back(Tok); Toks.push_back(Tok);
// Re-enter the stored parenthesized tokens into the token stream, so we may // Re-enter the stored parenthesized tokens into the token stream, so we may
@ -3105,6 +3113,10 @@ Parser::ParseCXXAmbiguousParenExpression(ParenParseOption &ExprType,
Tracker.consumeClose(); Tracker.consumeClose();
ColonProt.restore(); ColonProt.restore();
// Consume EOF marker for Toks buffer.
assert(Tok.is(tok::eof) && Tok.getEofData() == AttrEnd.getEofData());
ConsumeAnyToken();
if (ParseAs == CompoundLiteral) { if (ParseAs == CompoundLiteral) {
ExprType = CompoundLiteral; ExprType = CompoundLiteral;
if (DeclaratorInfo.isInvalidType()) if (DeclaratorInfo.isInvalidType())
@ -3141,10 +3153,16 @@ Parser::ParseCXXAmbiguousParenExpression(ParenParseOption &ExprType,
// Match the ')'. // Match the ')'.
if (Result.isInvalid()) { if (Result.isInvalid()) {
SkipUntil(tok::r_paren, StopAtSemi); while (Tok.isNot(tok::eof))
ConsumeAnyToken();
assert(Tok.getEofData() == AttrEnd.getEofData());
ConsumeAnyToken();
return ExprError(); return ExprError();
} }
Tracker.consumeClose(); Tracker.consumeClose();
// Consume EOF marker for Toks buffer.
assert(Tok.is(tok::eof) && Tok.getEofData() == AttrEnd.getEofData());
ConsumeAnyToken();
return Result; return Result;
} }

9
clang/test/Parser/cxx-ambig-paren-expr-asan.cpp Normal file
View File

@ -0,0 +1,9 @@
// RUN: %clang_cc1 -fsyntax-only -pedantic -verify %s
// This syntax error used to cause use-after free due to token local buffer
// in ParseCXXAmbiguousParenExpression.
int H((int()[)]);
// expected-error@-1 {{expected expression}}
// expected-error@-2 {{expected ']'}}
// expected-note@-3 {{to match this '['}}
// expected-error@-4 {{expected ';' after top level declarator}}