Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-39070: cppcheck / Discussion / General Discussion: Heap UAF in lib/token.cpp:1934

An issue in Cppcheck 2.12 dev allows a local attacker to execute arbitrary code via the removeContradiction parameter in token.cpp:1934.

CVE
Open in Source
#ubuntu#linux#git#c++
  • Summary
  • Files
  • Reviews
  • Support
  • News
  • Discussion
  • Wiki

Menu ▾ ▴

Heap UAF in lib/token.cpp:1934

Created: 2023-07-19

Updated: 2023-07-19

  • Description

    Heap UAF in lib/token.cpp:1934

    Version

    ➜ bin git:(main) ./cppcheck --version Cppcheck 2.12 dev commit d2546d525273c45dfc3bab946e8893b69bb5a542

    Replay

    gitclonehttps://github.com/danmar/cppcheck.git cdcppcheck mkdirbuild cdbuild CC="gcc -fsanitize=address"CXX="g++ -fsanitize=address"cmake… cmake–build.-j ./cppcheckpoc

    POC

    poc

    ASAN

    Checkingpoc…

    ==1896786==ERROR:AddressSanitizer:heap-use-after-freeonaddress0x612000008450atpc0x555555f66ffabp0x7ffffffe63a0sp0x7ffffffe6390 READofsize4at0x612000008450threadT0 #00x555555f66ff9inValueFlow::Value::equalValue(ValueFlow::Valueconst&)constcppcheck/lib/vfvalue.h:74 #10x55555688db00inValueFlow::Value::operator==(ValueFlow::Valueconst&)constcppcheck/lib/vfvalue.h:163 #20x5555568919b4instd::__debug::list<ValueFlow::Value,std::allocator<ValueFlow::Value>>::remove(ValueFlow::Valueconst&)/usr/include/c++/7/debug/list:649 #30x555556867324inremoveContradictioncppcheck/lib/token.cpp:1934 #40x555556869d41inremoveContradictionscppcheck/lib/token.cpp:2068 #50x55555686b23cinToken::addValue(ValueFlow::Valueconst&)cppcheck/lib/token.cpp:2158 #60x5555569bed52insetTokenValuecppcheck/lib/valueflow.cpp:624 #70x5555569c224ainsetTokenValuecppcheck/lib/valueflow.cpp:769 #80x5555569dab6dinvalueFlowImpossibleValuescppcheck/lib/valueflow.cpp:1853 #90x555556a3f76einoperator()cppcheck/lib/valueflow.cpp:9466 #100x555556a901c5inruncppcheck/lib/valueflow.cpp:9405 #110x555556ac313dinValueFlowPassRunner::run(ValuePtr<ValueFlowPass>const&)constcppcheck/lib/valueflow.cpp:9333 #120x555556ac2200inValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}::operator()(ValuePtr<ValueFlowPass>const&)constcppcheck/lib/valueflow.cpp:9302 #130x555556b7949ainbool__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>::operator()<ValuePtr<ValueFlowPass>const>(ValuePtr<ValueFlowPass>const)/usr/include/c++/7/bits/predefined_ops.h:283 #140x555556b6df18inValuePtr<ValueFlowPass>conststd::__find_if<ValuePtr<ValueFlowPass>const,__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>>(__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>,__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>,__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>,std::random_access_iterator_tag)/usr/include/c++/7/bits/stl_algo.h:120 #150x555556b5985dinValuePtr<ValueFlowPass>conststd::__find_if<ValuePtr<ValueFlowPass>const,__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>>(__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>,__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>,__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>)/usr/include/c++/7/bits/stl_algo.h:162 #160x555556b3907finValuePtr<ValueFlowPass>conststd::find_if<ValuePtr<ValueFlowPass>const,ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>(ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1},ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1},ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1})/usr/include/c++/7/bits/stl_algo.h:3933 #170x555556b0f2e2inboolstd::none_of<ValuePtr<ValueFlowPass>const,ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>(ValuePtr<ValueFlowPass>const,ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1},ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1})/usr/include/c++/7/bits/stl_algo.h:526 #180x555556ae8bb3inboolstd::any_of<ValuePtr<ValueFlowPass>const,ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>(ValuePtr<ValueFlowPass>const,ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1},ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1})/usr/include/c++/7/bits/stl_algo.h:544 #190x555556ac2475inValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)constcppcheck/lib/valueflow.cpp:9300 #200x555556a437fbinValueFlow::setValues(TokenList,SymbolDatabase,ErrorLogger,Settingsconst,TimerResultsIntf)cppcheck/lib/valueflow.cpp:9465 #210x5555568cafcdinTokenizer::simplifyTokens1(std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>const&)cppcheck/lib/tokenize.cpp:3365 #220x5555563e6c28inCppCheck::checkFile(std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>const&,std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>const&,std::istream)cppcheck/lib/cppcheck.cpp:908 #230x5555563dddd8inCppCheck::check(std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>const&)cppcheck/lib/cppcheck.cpp:590 #240x555555f071ceinSingleExecutor::check()cppcheck/cli/singleexecutor.cpp:60 #250x555555e7c1fdinCppCheckExecutor::check_internal(CppCheck&)cppcheck/cli/cppcheckexecutor.cpp:289 #260x555555e7b04binCppCheckExecutor::check(int,charconstconst)cppcheck/cli/cppcheckexecutor.cpp:223 #270x555555e426e1inmaincppcheck/cli/main.cpp:91 #280x7ffff6cbd082in__libc_start_main(/lib/x86_64-linux-gnu/libc.so.6+0x24082) #290x555555e4253din_start(cppcheck/build/bin/cppcheck+0x8ee53d)

    0x612000008450islocated16bytesinsideof272-byteregion[0x612000008440,0x612000008550) freedbythreadT0here: #00x7ffff72dc0d0inoperatordelete(void)(/lib/x86_64-linux-gnu/libasan.so.4+0xe20d0) #10x55555650ae2fin__gnu_cxx::new_allocator<std::__cxx1998::_List_node<ValueFlow::Value>>::deallocate(std::__cxx1998::_List_node<ValueFlow::Value>,unsignedlong)/usr/include/c++/7/ext/new_allocator.h:125 #20x555556505705instd::allocator_traits<std::allocator<std::__cxx1998::_List_node<ValueFlow::Value>>>::deallocate(std::allocator<std::__cxx1998::_List_node<ValueFlow::Value>>&,std::__cxx1998::_List_node<ValueFlow::Value>,unsignedlong)/usr/include/c++/7/bits/alloc_traits.h:462 #30x5555564fe723instd::__cxx1998::__cxx11::_List_base<ValueFlow::Value,std::allocator<ValueFlow::Value>>::_M_put_node(std::__cxx1998::_List_node<ValueFlow::Value>)/usr/include/c++/7/bits/stl_list.h:387 #40x555556505578instd::__cxx1998::__cxx11::list<ValueFlow::Value,std::allocator<ValueFlow::Value>>::_M_erase(std::__cxx1998::_List_iterator<ValueFlow::Value>)/usr/include/c++/7/bits/stl_list.h:1820 #50x5555564fe649instd::__cxx1998::__cxx11::list<ValueFlow::Value,std::allocator<ValueFlow::Value>>::erase(std::__cxx1998::_List_const_iterator<ValueFlow::Value>)/usr/include/c++/7/bits/list.tcc:157 #60x5555564f4f16instd::__debug::list<ValueFlow::Value,std::allocator<ValueFlow::Value>>::_M_erase(std::__cxx1998::_List_const_iterator<ValueFlow::Value>)/usr/include/c++/7/debug/list:491 #70x555556891a3einstd::__debug::list<ValueFlow::Value,std::allocator<ValueFlow::Value>>::remove(ValueFlow::Valueconst&)/usr/include/c++/7/debug/list:650 #80x555556867324inremoveContradictioncppcheck/lib/token.cpp:1934 #90x555556869d41inremoveContradictionscppcheck/lib/token.cpp:2068 #100x55555686b23cinToken::addValue(ValueFlow::Valueconst&)cppcheck/lib/token.cpp:2158 #110x5555569bed52insetTokenValuecppcheck/lib/valueflow.cpp:624 #120x5555569c224ainsetTokenValuecppcheck/lib/valueflow.cpp:769 #130x5555569dab6dinvalueFlowImpossibleValuescppcheck/lib/valueflow.cpp:1853 #140x555556a3f76einoperator()cppcheck/lib/valueflow.cpp:9466 #150x555556a901c5inruncppcheck/lib/valueflow.cpp:9405 #160x555556ac313dinValueFlowPassRunner::run(ValuePtr<ValueFlowPass>const&)constcppcheck/lib/valueflow.cpp:9333 #170x555556ac2200inValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}::operator()(ValuePtr<ValueFlowPass>const&)constcppcheck/lib/valueflow.cpp:9302 #180x555556b7949ainbool__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>::operator()<ValuePtr<ValueFlowPass>const>(ValuePtr<ValueFlowPass>const)/usr/include/c++/7/bits/predefined_ops.h:283 #190x555556b6df18inValuePtr<ValueFlowPass>conststd::__find_if<ValuePtr<ValueFlowPass>const,__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>>(__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>,__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>,__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>,std::random_access_iterator_tag)/usr/include/c++/7/bits/stl_algo.h:120 #200x555556b5985dinValuePtr<ValueFlowPass>conststd::__find_if<ValuePtr<ValueFlowPass>const,__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>>(__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>,__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>,__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>)/usr/include/c++/7/bits/stl_algo.h:162 #210x555556b3907finValuePtr<ValueFlowPass>conststd::find_if<ValuePtr<ValueFlowPass>const,ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>(ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1},ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1},ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1})/usr/include/c++/7/bits/stl_algo.h:3933 #220x555556b0f2e2inboolstd::none_of<ValuePtr<ValueFlowPass>const,ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>(ValuePtr<ValueFlowPass>const,ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1},ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1})/usr/include/c++/7/bits/stl_algo.h:526 #230x555556ae8bb3inboolstd::any_of<ValuePtr<ValueFlowPass>const,ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>(ValuePtr<ValueFlowPass>const,ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1},ValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1})/usr/include/c++/7/bits/stl_algo.h:544 #240x555556ac2475inValueFlowPassRunner::run(std::initializer_list<ValuePtr<ValueFlowPass>>)constcppcheck/lib/valueflow.cpp:9300 #250x555556a437fbinValueFlow::setValues(TokenList,SymbolDatabase,ErrorLogger,Settingsconst,TimerResultsIntf)cppcheck/lib/valueflow.cpp:9465 #260x5555568cafcdinTokenizer::simplifyTokens1(std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>const&)cppcheck/lib/tokenize.cpp:3365 #270x5555563e6c28inCppCheck::checkFile(std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>const&,std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>const&,std::istream)cppcheck/lib/cppcheck.cpp:908 #280x5555563dddd8inCppCheck::check(std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>const&)cppcheck/lib/cppcheck.cpp:590 #290x555555f071ceinSingleExecutor::check()cppcheck/cli/singleexecutor.cpp:60

    previouslyallocatedbythreadT0here: #00x7ffff72db258inoperatornew(unsignedlong)(/lib/x86_64-linux-gnu/libasan.so.4+0xe1258) #10x555556514674in__gnu_cxx::new_allocator<std::__cxx1998::_List_node<ValueFlow::Value>>::allocate(unsignedlong,voidconst)/usr/include/c++/7/ext/new_allocator.h:111 #20x555556512b12instd::allocator_traits<std::allocator<std::__cxx1998::_List_node<ValueFlow::Value>>>::allocate(std::allocator<std::__cxx1998::_List_node<ValueFlow::Value>>&,unsignedlong)/usr/include/c++/7/bits/alloc_traits.h:436 #30x5555565118c6instd::__cxx1998::__cxx11::_List_base<ValueFlow::Value,std::allocator<ValueFlow::Value>>::_M_get_node()/usr/include/c++/7/bits/stl_list.h:383 #40x55555689bc73instd::__cxx1998::_List_node<ValueFlow::Value>std::__cxx1998::__cxx11::list<ValueFlow::Value,std::allocator<ValueFlow::Value>>::_M_create_node<ValueFlow::Value>(ValueFlow::Value&&)/usr/include/c++/7/bits/stl_list.h:572 #50x555556897a8binvoidstd::__cxx1998::__cxx11::list<ValueFlow::Value,std::allocator<ValueFlow::Value>>::_M_insert<ValueFlow::Value>(std::__cxx1998::_List_iterator<ValueFlow::Value>,ValueFlow::Value&&)/usr/include/c++/7/bits/stl_list.h:1801 #60x555556893a56instd::__cxx1998::__cxx11::list<ValueFlow::Value,std::allocator<ValueFlow::Value>>::push_back(ValueFlow::Value&&)/usr/include/c++/7/bits/stl_list.h:1123 #70x55555686af12inToken::addValue(ValueFlow::Valueconst&)cppcheck/lib/token.cpp:2148 #80x5555569bed52insetTokenValuecppcheck/lib/valueflow.cpp:624 #90x5555569c224ainsetTokenValuecppcheck/lib/valueflow.cpp:769 #100x5555569d77d5invalueFlowBitAndcppcheck/lib/valueflow.cpp:1649 #110x555556a3f6c6inoperator()cppcheck/lib/valueflow.cpp:9460 #120x555556a905ebinruncppcheck/lib/valueflow.cpp:9405 #130x555556ac313dinValueFlowPassRunner::run(ValuePtr<ValueFlowPass>const&)constcppcheck/lib/valueflow.cpp:9333 #140x555556ac20e8inValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}::operator()(ValuePtr<ValueFlowPass>const&)constcppcheck/lib/valueflow.cpp:9291 #150x555556b79474inbool__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>::operator()<ValuePtr<ValueFlowPass>const>(ValuePtr<ValueFlowPass>const)/usr/include/c++/7/bits/predefined_ops.h:283 #160x555556b6ddf7inValuePtr<ValueFlowPass>conststd::__find_if<ValuePtr<ValueFlowPass>const,__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>>(__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>,__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>,__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>,std::random_access_iterator_tag)/usr/include/c++/7/bits/stl_algo.h:140 #170x555556b595feinValuePtr<ValueFlowPass>conststd::__find_if<ValuePtr<ValueFlowPass>const,__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>>(__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>,__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>,__gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>)/usr/include/c++/7/bits/stl_algo.h:162 #180x555556b38fc7inValuePtr<ValueFlowPass>conststd::find_if<ValuePtr<ValueFlowPass>const,ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>(ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1},ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1},ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1})/usr/include/c++/7/bits/stl_algo.h:3933 #190x555556b0f2aeinboolstd::none_of<ValuePtr<ValueFlowPass>const,ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>(ValuePtr<ValueFlowPass>const,ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1},ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1})/usr/include/c++/7/bits/stl_algo.h:526 #200x555556ae8b83inboolstd::any_of<ValuePtr<ValueFlowPass>const,ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1}>(ValuePtr<ValueFlowPass>const,ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1},ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)const::{lambda(ValuePtr<ValueFlowPass>const&)#1})/usr/include/c++/7/bits/stl_algo.h:544 #210x555556ac21b0inValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>)constcppcheck/lib/valueflow.cpp:9291 #220x555556a41ce9inValueFlow::setValues(TokenList,SymbolDatabase,ErrorLogger,Settingsconst,TimerResultsIntf)cppcheck/lib/valueflow.cpp:9447 #230x5555568cafcdinTokenizer::simplifyTokens1(std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>const&)cppcheck/lib/tokenize.cpp:3365 #240x5555563e6c28inCppCheck::checkFile(std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>const&,std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>const&,std::istream)cppcheck/lib/cppcheck.cpp:908 #250x5555563dddd8inCppCheck::check(std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>const&)cppcheck/lib/cppcheck.cpp:590 #260x555555f071ceinSingleExecutor::check()cppcheck/cli/singleexecutor.cpp:60 #270x555555e7c1fdinCppCheckExecutor::check_internal(CppCheck&)cppcheck/cli/cppcheckexecutor.cpp:289 #280x555555e7b04binCppCheckExecutor::check(int,charconstconst)cppcheck/cli/cppcheckexecutor.cpp:223 #290x555555e426e1inmaincppcheck/cli/main.cpp:91

    SUMMARY:AddressSanitizer:heap-use-after-freecppcheck/lib/vfvalue.h:74inValueFlow::Value::equalValue(ValueFlow::Valueconst&)const

    Environment

    Linux server 5.4.0-153-generic #170-Ubuntu SMP Fri Jun 16 13:43:31 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux gcc (Ubuntu 7.5.0-6ubuntu2) 7.5.0

Last edit: Tamagawa Takeshi 2023-07-19

  • That is clearly invalid code. Cppcheck generally assumes that its input is compileable.

    • Perhaps it can be considered that the poc I provided is unexpected input, which exposes a flaw in cppcheck. Maybe in the next version, cppcheck should reject this type of input.

Log in to post a comment.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE