Return-Path: <david@tethera.net>
X-Original-To: notmuch@notmuchmail.org
Delivered-To: notmuch@notmuchmail.org
Received: from localhost (localhost [127.0.0.1])
	by olra.theworths.org (Postfix) with ESMTP id 1801F431FCF
	for <notmuch@notmuchmail.org>; Fri, 26 Dec 2014 14:03:25 -0800 (PST)
X-Virus-Scanned: Debian amavisd-new at olra.theworths.org
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level: 
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none]
	autolearn=disabled
Received: from olra.theworths.org ([127.0.0.1])
	by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id KcCTnRPUcB45 for <notmuch@notmuchmail.org>;
	Fri, 26 Dec 2014 14:03:21 -0800 (PST)
Received: from yantan.tethera.net (yantan.tethera.net [199.188.72.155])
	(using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested)
	by olra.theworths.org (Postfix) with ESMTPS id E091C431FAF
	for <notmuch@notmuchmail.org>; Fri, 26 Dec 2014 14:03:21 -0800 (PST)
Received: from remotemail by yantan.tethera.net with local (Exim 4.80)
	(envelope-from <david@tethera.net>)
	id 1Y4cyc-0007qM-Vs; Fri, 26 Dec 2014 18:03:18 -0400
Received: (nullmailer pid 3992 invoked by uid 1000); Fri, 26 Dec 2014
	22:03:13 -0000
From: David Bremner <david@tethera.net>
To: Tamas Szakaly <sghctoma@gmail.com>, notmuch@notmuchmail.org
Subject: Re: BUG: Using pointer that points to a destructed string's content
In-Reply-To: <20141226113755.GA64154@pamparam>
References: <20141226113755.GA64154@pamparam>
User-Agent: Notmuch/0.19+7~g5d7f7a6 (http://notmuchmail.org) Emacs/24.4.1
	(x86_64-pc-linux-gnu)
Date: Fri, 26 Dec 2014 23:03:13 +0100
Message-ID: <87oaqqf4ri.fsf@maritornes.cs.unb.ca>
MIME-Version: 1.0
Content-Type: text/plain
X-BeenThere: notmuch@notmuchmail.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Use and development of the notmuch mail system."
	<notmuch.notmuchmail.org>
List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,
	<mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
List-Archive: <http://notmuchmail.org/pipermail/notmuch>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,
	<mailto:notmuch-request@notmuchmail.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Dec 2014 22:03:25 -0000

Tamas Szakaly <sghctoma@gmail.com> writes:

> The following line is from _notmuch_message_add_directory_terms in
> lib/message.cc (line 652 in HEAD):
>
> direntry = (*i).c_str ();
>
> 'i' is a Xapian::TermIterator, whose operator* returns a std::string by value.
> This means that c_str() is called on a temporary, which is destructed after the
> full expression (essentially the particular line in this case), so 'direntry'
> will point to a destructed std::string's data.
> (See https://gcc.gnu.org/onlinedocs/gcc/Temporaries.html)

Does the following patch fix it for you? I have to double check that
direntry wasn't needed for something, but the test suite passes ;).

diff --git a/lib/message.cc b/lib/message.cc
index a7a13cc..24d0d5b 100644
--- a/lib/message.cc
+++ b/lib/message.cc
@@ -649,10 +649,8 @@ _notmuch_message_add_directory_terms (void *ctx, notmuch_message_t *message)
 	/* Indicate that there are filenames remaining. */
 	status = NOTMUCH_STATUS_DUPLICATE_MESSAGE_ID;
 
-	direntry = (*i).c_str ();
-	direntry += direntry_prefix_len;
-
-	directory_id = strtol (direntry, &colon, 10);
+	directory_id = strtol (
+	    (*i).c_str () + direntry_prefix_len, &colon, 10);
 
 	if (colon == NULL || *colon != ':')
 	    INTERNAL_ERROR ("malformed direntry");