[ORC-1081] heap-use-after-free in orc::SearchArgumentBuilderImpl::end() - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.7.0, 1.7.1, 1.7.2
Fix Version/s: 1.7.3
Component/s: C++
Labels:
None

Description

Built ORC with AddressSanitizer and found a heap-use-after-free error in orc::SearchArgumentBuilderImpl::end()

SearchArgumentBuilder& SearchArgumentBuilderImpl::end() {
  TreeNode& current = mCurrTree.front();
  mCurrTree.pop_front();  // <----- This will delete the TreeNode.
  if (current->getChildren().empty()) {
    throw std::invalid_argument("Cannot create expression " +
      mRoot->toString() + " with no children.");
  }
  if (current->getOperator() == ExpressionTree::Operator::NOT &&
      current->getChildren().size() != 1) {
    throw std::invalid_argument("Can't create NOT expression " +
      current->toString() + " with more than 1 child.");
  }
  return *this;
}

We should call mCurrTree.pop_front() after using the TreeNode.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

asan_report.txt
08/Jan/22 01:04
10 kB
Quanlong Huang

Issue Links

links to

GitHub Pull Request #998

Activity

People

Assignee:: Quanlong Huang

Reporter:: Quanlong Huang

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 08/Jan/22 01:00

Updated:: 10/Feb/22 08:05

Resolved:: 08/Jan/22 23:33