Use after free in Macro::expand() for data freed in Macro::expandHashHash()

Following code leads into heap-use-after-free error in Macro::expand() function:

```
#define hash_hash # # #
#define join inc hash_hash
join
```

This results in following (partial) AddressSanitizer stack backtrace:

```
==29361==ERROR: AddressSanitizer: heap-use-after-free ...
READ of size 8 at 0x60b000009b38 thread T0
    #0 0x52c7d4 in simplecpp::Macro::expand(...) const simplecpp.cpp:1329:60
...
freed by thread T0 here:
    #0 0x4fde00 in operator delete(void*) llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:110
    #1 0x52efd7 in simplecpp::Macro::expandHashHash(...) const simplecpp.cpp:1527:13
    #2 0x52c17b in simplecpp::Macro::expand(...) const simplecpp.cpp:1321:23
...
```

This can be detected by AddressSanitizer and Valgrind (with --track-origins=yes command line switch). Attached the full backtraces from AddressSanitizer and Valgrind runs:

[use-after-free-macro-expand-expandhashhash-asan.txt](https://github.com/danmar/simplecpp/files/580945/use-after-free-macro-expand-expandhashhash-asan.txt)
[use-after-free-macro-expand-expandhashhash-valgrind.txt](https://github.com/danmar/simplecpp/files/580946/use-after-free-macro-expand-expandhashhash-valgrind.txt)

This happens with simplecpp revision d1c995c03515d289c7aa7246a74d666fd012c4eb

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use after free in Macro::expand() for data freed in Macro::expandHashHash() #60

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Use after free in Macro::expand() for data freed in Macro::expandHashHash() #60

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions