From 757ea686b0540aea84f1c8a3ff96a21a3d7b24af Mon Sep 17 00:00:00 2001 From: chrchr Date: Thu, 24 Aug 2023 19:07:31 +0200 Subject: [PATCH] Fix use-after-free crash when using --clang --- lib/checkvaarg.cpp | 4 +++- lib/clangimport.cpp | 1 - lib/symboldatabase.cpp | 7 +++++-- lib/symboldatabase.h | 2 +- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/lib/checkvaarg.cpp b/lib/checkvaarg.cpp index 9e6d244bee0..2df233fbc54 100644 --- a/lib/checkvaarg.cpp +++ b/lib/checkvaarg.cpp @@ -67,7 +67,9 @@ void CheckVaarg::va_start_argument() if (var && var->isReference()) referenceAs_va_start_error(param2, var->name()); if (var && var->index() + 2 < function->argCount() && printWarnings) { - wrongParameterTo_va_start_error(tok, var->name(), function->argumentList[function->argumentList.size()-2].name()); + auto it = function->argumentList.end(); + std::advance(it, -2); + wrongParameterTo_va_start_error(tok, var->name(), it->name()); } tok = tok->linkAt(1); } diff --git a/lib/clangimport.cpp b/lib/clangimport.cpp index 2e68aaa26bd..2742eb5c9d5 100644 --- a/lib/clangimport.cpp +++ b/lib/clangimport.cpp @@ -1373,7 +1373,6 @@ void clangimport::AstNode::createTokensFunctionDecl(TokenList *tokenList) function->nestedIn = nestedIn; function->argDef = par1; // Function arguments - function->argumentList.reserve(children.size()); for (int i = 0; i < children.size(); ++i) { AstNodePtr child = children[i]; if (child->nodeType != ParmVarDecl) diff --git a/lib/symboldatabase.cpp b/lib/symboldatabase.cpp index 384bef62045..01d2a94f142 100644 --- a/lib/symboldatabase.cpp +++ b/lib/symboldatabase.cpp @@ -4427,8 +4427,11 @@ const Function * Function::getOverriddenFunctionRecursive(const ::Type* baseType const Variable* Function::getArgumentVar(nonneg int num) const { - if (num < argumentList.size()) - return &argumentList[num]; + if (num < argumentList.size()) { + auto it = argumentList.begin(); + std::advance(it, num); + return &*it; + } return nullptr; } diff --git a/lib/symboldatabase.h b/lib/symboldatabase.h index 8b988e54a02..fc7554a704f 100644 --- a/lib/symboldatabase.h +++ b/lib/symboldatabase.h @@ -907,7 +907,7 @@ class CPPCHECKLIB Function { const ::Type* retType{}; ///< function return type const Scope* functionScope{}; ///< scope of function body const Scope* nestedIn{}; ///< Scope the function is declared in - std::vector argumentList; ///< argument list + std::list argumentList; ///< argument list, must remain list due to clangimport usage! nonneg int initArgCount{}; ///< number of args with default values Type type = eFunction; ///< constructor, destructor, ... const Token* noexceptArg{}; ///< noexcept token