diff options
| author | Jooyung Han <jooyung@google.com> | 2021-09-15 22:37:39 +0900 |
|---|---|---|
| committer | Treehugger Robot <treehugger-gerrit@google.com> | 2021-09-16 00:26:43 +0000 |
| commit | 55db811ed457f4e5df791a0c9e3ea545b81b687f (patch) | |
| tree | 939280de6e946429147f7a8d0224e4f1223992cf /aidl_language_y.yy | |
| parent | 5a4db21004e3485cdbb98214af4568362cff9b68 (diff) | |
| download | aidl-55db811ed457f4e5df791a0c9e3ea545b81b687f.tar.gz | |
Fix use-after-free on annotation parse error
There's a mistake in 442cacfc96f69adce7b55bd28cf07a75fbcb4b65.
It missed to set $$ when AidlAnnotation::Parse fails. When $$ is not
set, it points to the first component of the rule ($1) which is deleted.
Bug: 200010248
Test: aidl_unittests
Change-Id: I8b46af7db44ebcc63ab37340536ad8210af53fb9
Diffstat (limited to 'aidl_language_y.yy')
| -rw-r--r-- | aidl_language_y.yy | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/aidl_language_y.yy b/aidl_language_y.yy index 95185798..3078dae3 100644 --- a/aidl_language_y.yy +++ b/aidl_language_y.yy @@ -772,10 +772,9 @@ parameter_non_empty_list annotation : ANNOTATION { - auto annot = AidlAnnotation::Parse(loc(@1), $1->GetText(), {}, $1->GetComments()); - if (annot) { - $$ = annot.release(); - } else { + // release() returns nullptr if unique_ptr is empty. + $$ = AidlAnnotation::Parse(loc(@1), $1->GetText(), {}, $1->GetComments()).release(); + if (!$$) { ps->AddError(); } delete $1; |