You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@orc.apache.org by "Quanlong Huang (Jira)" <ji...@apache.org> on 2022/01/08 01:05:00 UTC

[jira] [Updated] (ORC-1081) heap-use-after-free in orc::SearchArgumentBuilderImpl::end()

     [ https://issues.apache.org/jira/browse/ORC-1081?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Quanlong Huang updated ORC-1081:
--------------------------------
    Attachment: asan_report.txt

> heap-use-after-free in orc::SearchArgumentBuilderImpl::end()
> ------------------------------------------------------------
>
>                 Key: ORC-1081
>                 URL: https://issues.apache.org/jira/browse/ORC-1081
>             Project: ORC
>          Issue Type: Sub-task
>          Components: C++
>    Affects Versions: 1.7.0, 1.7.1, 1.7.2
>            Reporter: Quanlong Huang
>            Assignee: Quanlong Huang
>            Priority: Major
>         Attachments: asan_report.txt
>
>
> Built ORC with AddressSanitizer and found a heap-use-after-free error in orc::SearchArgumentBuilderImpl::end()
> {code:cpp}
> SearchArgumentBuilder& SearchArgumentBuilderImpl::end() {
>   TreeNode& current = mCurrTree.front();
>   mCurrTree.pop_front();  // <----- This will delete the TreeNode.
>   if (current->getChildren().empty()) {
>     throw std::invalid_argument("Cannot create expression " +
>       mRoot->toString() + " with no children.");
>   }
>   if (current->getOperator() == ExpressionTree::Operator::NOT &&
>       current->getChildren().size() != 1) {
>     throw std::invalid_argument("Can't create NOT expression " +
>       current->toString() + " with more than 1 child.");
>   }
>   return *this;
> } {code}
> We should call {{mCurrTree.pop_front()}} after using the TreeNode.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)