From: Tamas Szakaly Date: Fri, 26 Dec 2014 11:37:55 +0000 (+0100) Subject: BUG: Using pointer that points to a destructed string's content X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=9e76b3a6878c1ab88d9918f5d9ee2f0072ef003d;p=notmuch-archives.git BUG: Using pointer that points to a destructed string's content --- diff --git a/a4/5fa5f486be1e1b3b9615fff7acc2a77170ab2e b/a4/5fa5f486be1e1b3b9615fff7acc2a77170ab2e new file mode 100644 index 000000000..ea8c62d38 --- /dev/null +++ b/a4/5fa5f486be1e1b3b9615fff7acc2a77170ab2e @@ -0,0 +1,107 @@ +Return-Path: +X-Original-To: notmuch@notmuchmail.org +Delivered-To: notmuch@notmuchmail.org +Received: from localhost (localhost [127.0.0.1]) + by olra.theworths.org (Postfix) with ESMTP id 82D15431FDB + for ; Fri, 26 Dec 2014 03:38:05 -0800 (PST) +X-Virus-Scanned: Debian amavisd-new at olra.theworths.org +X-Spam-Flag: NO +X-Spam-Score: -0.799 +X-Spam-Level: +X-Spam-Status: No, score=-0.799 tagged_above=-999 required=5 + tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, + FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=disabled +Received: from olra.theworths.org ([127.0.0.1]) + by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) + with ESMTP id Zv8QeDvOO4qp for ; + Fri, 26 Dec 2014 03:38:02 -0800 (PST) +Received: from mail-wi0-f171.google.com (mail-wi0-f171.google.com + [209.85.212.171]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) + (No client certificate requested) + by olra.theworths.org (Postfix) with ESMTPS id E5437431FC0 + for ; Fri, 26 Dec 2014 03:38:01 -0800 (PST) +Received: by mail-wi0-f171.google.com with SMTP id bs8so16923699wib.10 + for ; Fri, 26 Dec 2014 03:37:59 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; + h=date:from:to:subject:message-id:mime-version:content-type + :user-agent; bh=70cLSIBqN+X/A8WumNs+2QVtTW8mNSU+0DvpD4KhkS0=; + b=nzX8pL3KTGQ5YZmnWR/uo4JUCoWDSwQtl1pi3qvgBXJY4Xegjj2FWjp7QoI4Op0EyI + JYI23NACQHkrK4NPhGaSWp0iCHOC4orof7GfENSflKAtcB8sZfnrM1J7KKZ9I+97Uaur + DNAszUFoim6TkxkryWASlujgc4POFyKZ3lSDez+MXAlkYxz6fppLQHGYzdOtAb68ns91 + 5TAJb53eBmfRNX13KaMG231qQ71sRy1+0JxnegJohNtishDVdaRXndlEWlktmV+bjVwx + xgB4MINXWss74tHHCcm60xf+GY9qkkCDZ4eNTut8CAoh1LzMZR8wG2FKR2FkvV2hwf3E + x9ZQ== +X-Received: by 10.180.82.98 with SMTP id h2mr68946977wiy.7.1419593878557; + Fri, 26 Dec 2014 03:37:58 -0800 (PST) +Received: from localhost (catv-37-191-19-235.catv.broadband.hu. + [37.191.19.235]) + by mx.google.com with ESMTPSA id ep9sm27952918wid.3.2014.12.26.03.37.56 + for + (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); + Fri, 26 Dec 2014 03:37:57 -0800 (PST) +Date: Fri, 26 Dec 2014 12:37:55 +0100 +From: Tamas Szakaly +To: notmuch@notmuchmail.org +Subject: BUG: Using pointer that points to a destructed string's content +Message-ID: <20141226113755.GA64154@pamparam> +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf-8; x-action=pgp-signed +User-Agent: Mutt/1.5.23.1-rc1 (2014-03-12) +X-Mailman-Approved-At: Fri, 26 Dec 2014 12:08:53 -0800 +X-BeenThere: notmuch@notmuchmail.org +X-Mailman-Version: 2.1.13 +Precedence: list +List-Id: "Use and development of the notmuch mail system." + +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +X-List-Received-Date: Fri, 26 Dec 2014 11:38:05 -0000 + +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +Dear notmuch developers, + +The following line is from _notmuch_message_add_directory_terms in +lib/message.cc (line 652 in HEAD): + +direntry = (*i).c_str (); + +'i' is a Xapian::TermIterator, whose operator* returns a std::string by value. +This means that c_str() is called on a temporary, which is destructed after the +full expression (essentially the particular line in this case), so 'direntry' +will point to a destructed std::string's data. +(See https://gcc.gnu.org/onlinedocs/gcc/Temporaries.html) + +One possible modification to correct this issue is using strdup: + +direntry = strdup((*i).c_str ()); + +Note: +Despite the fact that it is wrong, it *generally* works, because delete[]-ing +the underlying character array in the destructor of std::string does not really +touch the memory content, and there is only a minor chance that this memory area +will be allocated again (e.g. from another thread). This caused me some headache +though with 'notmuch new' on FreeBSD 11-CURRENT, where jemalloc is configured so +that freed memory will be filled with 0x5a's. + +Best regards, +sghctoma + +- -- +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQEcBAEBAgAGBQJUnUiQAAoJEE8tbNCQOSmESAsH/ih+EFx0WJEzImBkNe4I4H+0 +Wj9u/ymmpgLwWnV0rg0oxnYoX5T6zT2e1jwTD73H7N4A2Xf2Susjbr6csTP2YyQB +aUbZ5/Ajq+COgpoEXTQUbrIPcIbdl0X05/k9f/OdNqZMHVK6j08hw2oqtpsq6v1+ +PiuAa7kKrMda5rzLk08z1/qmJ6D7G2Trl6r5LPfytZhPwrphAJ9bWBofIIJLBQ0R +RdeTmGuzc7FBw1a1JqJWkDL1lI91VTD49Wr/VqYXPbfcWbaHhVYSklDshyEYaK/+ +skemzV+aIWJiNHpkALdh3t+070caXlv5hwa826Q4kB0FMmkNlShjFqpXLJToEWo= +=hshP +-----END PGP SIGNATURE-----