diff options
| author | Alexey Bataev <a.bataev@hotmail.com> | 2016-02-04 04:22:09 +0000 |
|---|---|---|
| committer | Alexey Bataev <a.bataev@hotmail.com> | 2016-02-04 04:22:09 +0000 |
| commit | 703a93c4e61fd3e1cf7d85d8600d82e2035ac82a (patch) | |
| tree | df31f280f7900205b97ee875f78602ec89d716f2 | |
| parent | f650441b04069195a2fa757ed4e6b5d85e0b7892 (diff) | |
| download | bcm5719-llvm-703a93c4e61fd3e1cf7d85d8600d82e2035ac82a.tar.gz bcm5719-llvm-703a93c4e61fd3e1cf7d85d8600d82e2035ac82a.zip | |
PR23057: fix use-after-free due to local token buffer in ParseCXXAmbiguousParenExpression, by Dmitry Polukhin
Differential Revision: http://reviews.llvm.org/D16572
A test/Parser/cxx-ambig-paren-expr-asan.cpp
M lib/Parse/ParseExprCXX.cpp
llvm-svn: 259750
| -rw-r--r-- | clang/lib/Parse/ParseExprCXX.cpp | 20 | ||||
| -rw-r--r-- | clang/test/Parser/cxx-ambig-paren-expr-asan.cpp | 9 |
2 files changed, 28 insertions, 1 deletions
diff --git a/clang/lib/Parse/ParseExprCXX.cpp b/clang/lib/Parse/ParseExprCXX.cpp index 53009caf8c7..760c30b8124 100644 --- a/clang/lib/Parse/ParseExprCXX.cpp +++ b/clang/lib/Parse/ParseExprCXX.cpp @@ -3081,6 +3081,14 @@ Parser::ParseCXXAmbiguousParenExpression(ParenParseOption &ExprType, ParseAs = NotCastExpr ? SimpleExpr : CastExpr; } + // Create a fake EOF to mark end of Toks buffer. + Token AttrEnd; + AttrEnd.startToken(); + AttrEnd.setKind(tok::eof); + AttrEnd.setLocation(Tok.getLocation()); + AttrEnd.setEofData(Toks.data()); + Toks.push_back(AttrEnd); + // The current token should go after the cached tokens. Toks.push_back(Tok); // Re-enter the stored parenthesized tokens into the token stream, so we may @@ -3105,6 +3113,10 @@ Parser::ParseCXXAmbiguousParenExpression(ParenParseOption &ExprType, Tracker.consumeClose(); ColonProt.restore(); + // Consume EOF marker for Toks buffer. + assert(Tok.is(tok::eof) && Tok.getEofData() == AttrEnd.getEofData()); + ConsumeAnyToken(); + if (ParseAs == CompoundLiteral) { ExprType = CompoundLiteral; if (DeclaratorInfo.isInvalidType()) @@ -3141,10 +3153,16 @@ Parser::ParseCXXAmbiguousParenExpression(ParenParseOption &ExprType, // Match the ')'. if (Result.isInvalid()) { - SkipUntil(tok::r_paren, StopAtSemi); + while (Tok.isNot(tok::eof)) + ConsumeAnyToken(); + assert(Tok.getEofData() == AttrEnd.getEofData()); + ConsumeAnyToken(); return ExprError(); } Tracker.consumeClose(); + // Consume EOF marker for Toks buffer. + assert(Tok.is(tok::eof) && Tok.getEofData() == AttrEnd.getEofData()); + ConsumeAnyToken(); return Result; } diff --git a/clang/test/Parser/cxx-ambig-paren-expr-asan.cpp b/clang/test/Parser/cxx-ambig-paren-expr-asan.cpp new file mode 100644 index 00000000000..ec9d6b9da39 --- /dev/null +++ b/clang/test/Parser/cxx-ambig-paren-expr-asan.cpp @@ -0,0 +1,9 @@ +// RUN: %clang_cc1 -fsyntax-only -pedantic -verify %s + +// This syntax error used to cause use-after free due to token local buffer +// in ParseCXXAmbiguousParenExpression. +int H((int()[)]); +// expected-error@-1 {{expected expression}} +// expected-error@-2 {{expected ']'}} +// expected-note@-3 {{to match this '['}} +// expected-error@-4 {{expected ';' after top level declarator}} |
