Fix use-after-free crash when using --clang

chrchr-github · Aug 24, 2023 · 757ea68 · 757ea68
1 parent 5a7c7b9
commit 757ea68
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 5 deletions.
diff --git a/lib/checkvaarg.cpp b/lib/checkvaarg.cpp
@@ -67,7 +67,9 @@ void CheckVaarg::va_start_argument()
                 if (var && var->isReference())
                     referenceAs_va_start_error(param2, var->name());
                 if (var && var->index() + 2 < function->argCount() && printWarnings) {
-                    wrongParameterTo_va_start_error(tok, var->name(), function->argumentList[function->argumentList.size()-2].name());
+                    auto it = function->argumentList.end();
+                    std::advance(it, -2);
+                    wrongParameterTo_va_start_error(tok, var->name(), it->name());
                 }
                 tok = tok->linkAt(1);
             }

diff --git a/lib/clangimport.cpp b/lib/clangimport.cpp
@@ -1373,7 +1373,6 @@ void clangimport::AstNode::createTokensFunctionDecl(TokenList *tokenList)
         function->nestedIn = nestedIn;
     function->argDef = par1;
     // Function arguments
-    function->argumentList.reserve(children.size());
     for (int i = 0; i < children.size(); ++i) {
         AstNodePtr child = children[i];
         if (child->nodeType != ParmVarDecl)

diff --git a/lib/symboldatabase.cpp b/lib/symboldatabase.cpp
@@ -4427,8 +4427,11 @@ const Function * Function::getOverriddenFunctionRecursive(const ::Type* baseType
 
 const Variable* Function::getArgumentVar(nonneg int num) const
 {
-    if (num < argumentList.size())
-        return &argumentList[num];
+    if (num < argumentList.size()) {
+        auto it = argumentList.begin();
+        std::advance(it, num);
+        return &*it;
+    }
     return nullptr;
 }
 

diff --git a/lib/symboldatabase.h b/lib/symboldatabase.h
@@ -907,7 +907,7 @@ class CPPCHECKLIB Function {
     const ::Type* retType{};          ///< function return type
     const Scope* functionScope{};     ///< scope of function body
     const Scope* nestedIn{};          ///< Scope the function is declared in
-    std::vector<Variable> argumentList; ///< argument list
+    std::list<Variable> argumentList; ///< argument list, must remain list due to clangimport usage!
     nonneg int initArgCount{};        ///< number of args with default values
     Type type = eFunction;            ///< constructor, destructor, ...
     const Token* noexceptArg{};       ///< noexcept token