Quanlong Huang created ORC-1081:
-----------------------------------
Summary: heap-use-after-free in
orc::SearchArgumentBuilderImpl::end()
Key: ORC-1081
URL: https://issues.apache.org/jira/browse/ORC-1081
Project: ORC
Issue Type: Sub-task
Components: C++
Affects Versions: 1.7.2, 1.7.1, 1.7.0
Reporter: Quanlong Huang
Assignee: Quanlong Huang
Built ORC with AddressSanitizer and found a heap-use-after-free error in
orc::SearchArgumentBuilderImpl::end()
{code:cpp}
SearchArgumentBuilder& SearchArgumentBuilderImpl::end() {
TreeNode& current = mCurrTree.front();
mCurrTree.pop_front(); // <----- This will delete the TreeNode.
if (current->getChildren().empty()) {
throw std::invalid_argument("Cannot create expression " +
mRoot->toString() + " with no children.");
}
if (current->getOperator() == ExpressionTree::Operator::NOT &&
current->getChildren().size() != 1) {
throw std::invalid_argument("Can't create NOT expression " +
current->toString() + " with more than 1 child.");
}
return *this;
} {code}
We should call {{mCurrTree.pop_front()}} after using the TreeNode.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
