Author: Alexander Kornienko Date: 2025-09-27T08:38:46+02:00 New Revision: 61012483df44c181f4200a5b6f260d27f2052df1
URL: https://github.com/llvm/llvm-project/commit/61012483df44c181f4200a5b6f260d27f2052df1 DIFF: https://github.com/llvm/llvm-project/commit/61012483df44c181f4200a5b6f260d27f2052df1.diff LOG: [clang] Fix a use-after free in ASTContext::getSubstBuiltinTemplatePack (#160970) ASTContext::getSubstBuiltinTemplatePack finds InsertPos and then calls itself recursively, which may lead to rehashing and invalidation of all pointers to buckets. The function then proceeds with using the potentially invalid InsertPos, leading to use-after-free. The issue goes back to https://github.com/llvm/llvm-project/pull/157662. I didn't manage to produce a reasonably-sized test case yet. Added: Modified: clang/lib/AST/ASTContext.cpp Removed: ################################################################################ diff --git a/clang/lib/AST/ASTContext.cpp b/clang/lib/AST/ASTContext.cpp index 07d42e7e2f3b3..61dd330553860 100644 --- a/clang/lib/AST/ASTContext.cpp +++ b/clang/lib/AST/ASTContext.cpp @@ -5873,8 +5873,14 @@ ASTContext::getSubstBuiltinTemplatePack(const TemplateArgument &ArgPack) { QualType Canon; TemplateArgument CanonArgPack = getCanonicalTemplateArgument(ArgPack); - if (!CanonArgPack.structurallyEquals(ArgPack)) + if (!CanonArgPack.structurallyEquals(ArgPack)) { Canon = getSubstBuiltinTemplatePack(CanonArgPack); + // Refresh InsertPos, in case the recursive call above caused rehashing, + // which would invalidate the bucket pointer. + [[maybe_unused]] const auto *Nothing = + SubstBuiltinTemplatePackTypes.FindNodeOrInsertPos(ID, InsertPos); + assert(!Nothing); + } auto *PackType = new (*this, alignof(SubstBuiltinTemplatePackType)) SubstBuiltinTemplatePackType(Canon, ArgPack); _______________________________________________ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
