From bab2b26d1007f964c4af5aebfab9eaa71be3962e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Heiko=20Ei=C3=9Ffeldt?= Date: Fri, 25 Aug 2017 17:17:19 +0200 Subject: [PATCH] Fixed #8154 (heap use after free in tokenlist) --- lib/token.cpp | 7 +++++++ test/testgarbage.cpp | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/token.cpp b/lib/token.cpp index 02b32090c..9ad05a619 100644 --- a/lib/token.cpp +++ b/lib/token.cpp @@ -190,6 +190,11 @@ void Token::deleteNext(unsigned long index) { while (_next && index) { Token *n = _next; + + // #8154 we are about to be unknown -> destroy the link to us + if (n->_link && n->_link->_link == n) + n->_link->link(nullptr); + _next = n->next(); delete n; --index; @@ -254,6 +259,8 @@ void Token::deleteThis() if (_link) _link->link(this); + _next->link(nullptr); // mark as unlinked + deleteNext(); } else if (_previous && _previous->_previous) { // Copy previous to this and delete previous _str = _previous->_str; diff --git a/test/testgarbage.cpp b/test/testgarbage.cpp index 71f0f9eb6..6a9431600 100644 --- a/test/testgarbage.cpp +++ b/test/testgarbage.cpp @@ -310,7 +310,7 @@ private: } catch (InternalError& e) { ASSERT_EQUALS("Analysis failed. If the code is valid then please report this failure.", e.errorMessage); ASSERT_EQUALS("cppcheckError", e.id); - ASSERT_EQUALS(5, e.token->linenr()); + ASSERT_EQUALS(4, e.token->linenr()); } }