You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@orc.apache.org by "Dongjoon Hyun (Jira)" <ji...@apache.org> on 2022/01/08 23:29:00 UTC

[jira] [Commented] (ORC-1081) heap-use-after-free in orc::SearchArgumentBuilderImpl::end()

    [ https://issues.apache.org/jira/browse/ORC-1081?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17471245#comment-17471245 ] 

Dongjoon Hyun commented on ORC-1081:
------------------------------------

Thank you for reporting, [~stigahuang].

> heap-use-after-free in orc::SearchArgumentBuilderImpl::end()
> ------------------------------------------------------------
>
>                 Key: ORC-1081
>                 URL: https://issues.apache.org/jira/browse/ORC-1081
>             Project: ORC
>          Issue Type: Sub-task
>          Components: C++
>    Affects Versions: 1.7.0, 1.7.1, 1.7.2
>            Reporter: Quanlong Huang
>            Assignee: Quanlong Huang
>            Priority: Major
>         Attachments: asan_report.txt
>
>
> Built ORC with AddressSanitizer and found a heap-use-after-free error in orc::SearchArgumentBuilderImpl::end()
> {code:cpp}
> SearchArgumentBuilder& SearchArgumentBuilderImpl::end() {
>   TreeNode& current = mCurrTree.front();
>   mCurrTree.pop_front();  // <----- This will delete the TreeNode.
>   if (current->getChildren().empty()) {
>     throw std::invalid_argument("Cannot create expression " +
>       mRoot->toString() + " with no children.");
>   }
>   if (current->getOperator() == ExpressionTree::Operator::NOT &&
>       current->getChildren().size() != 1) {
>     throw std::invalid_argument("Can't create NOT expression " +
>       current->toString() + " with more than 1 child.");
>   }
>   return *this;
> } {code}
> We should call {{mCurrTree.pop_front()}} after using the TreeNode.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)