Skip to content

Commit

Permalink
PR23057: fix use-after-free due to local token buffer in ParseCXXAmbi…
Browse files Browse the repository at this point in the history 
…guousParenExpression, by Dmitry Polukhin

Differential Revision: http://reviews.llvm.org/D16572
A    test/Parser/cxx-ambig-paren-expr-asan.cpp
M    lib/Parse/ParseExprCXX.cpp

llvm-svn: 259750
  • Loading branch information
@alexey-bataev
alexey-bataev committed Feb 4, 2016
1 parent f650441 commit 703a93c
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 1 deletion.
20 changes: 19 additions & 1 deletion clang/lib/Parse/ParseExprCXX.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3081,6 +3081,14 @@ Parser::ParseCXXAmbiguousParenExpression(ParenParseOption &ExprType,
ParseAs = NotCastExpr ? SimpleExpr : CastExpr;
}

// Create a fake EOF to mark end of Toks buffer.
Token AttrEnd;
AttrEnd.startToken();
AttrEnd.setKind(tok::eof);
AttrEnd.setLocation(Tok.getLocation());
AttrEnd.setEofData(Toks.data());
Toks.push_back(AttrEnd);

// The current token should go after the cached tokens.
Toks.push_back(Tok);
// Re-enter the stored parenthesized tokens into the token stream, so we may
Expand All @@ -3105,6 +3113,10 @@ Parser::ParseCXXAmbiguousParenExpression(ParenParseOption &ExprType,
Tracker.consumeClose();
ColonProt.restore();

// Consume EOF marker for Toks buffer.
assert(Tok.is(tok::eof) && Tok.getEofData() == AttrEnd.getEofData());
ConsumeAnyToken();

if (ParseAs == CompoundLiteral) {
ExprType = CompoundLiteral;
if (DeclaratorInfo.isInvalidType())
Expand Down Expand Up @@ -3141,10 +3153,16 @@ Parser::ParseCXXAmbiguousParenExpression(ParenParseOption &ExprType,

// Match the ')'.
if (Result.isInvalid()) {
SkipUntil(tok::r_paren, StopAtSemi);
while (Tok.isNot(tok::eof))
ConsumeAnyToken();
assert(Tok.getEofData() == AttrEnd.getEofData());
ConsumeAnyToken();
return ExprError();
}

Tracker.consumeClose();
// Consume EOF marker for Toks buffer.
assert(Tok.is(tok::eof) && Tok.getEofData() == AttrEnd.getEofData());
ConsumeAnyToken();
return Result;
}
9 changes: 9 additions & 0 deletions clang/test/Parser/cxx-ambig-paren-expr-asan.cpp
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
// RUN: %clang_cc1 -fsyntax-only -pedantic -verify %s

// This syntax error used to cause use-after free due to token local buffer
// in ParseCXXAmbiguousParenExpression.
int H((int()[)]);
// expected-error@-1 {{expected expression}}
// expected-error@-2 {{expected ']'}}
// expected-note@-3 {{to match this '['}}
// expected-error@-4 {{expected ';' after top level declarator}}

0 comments on commit 703a93c

Please sign in to comment.