From ee6619b1246b38cfb36f6efd931a6f475a9033c7 Mon Sep 17 00:00:00 2001 From: David Malcolm Date: Wed, 19 Feb 2025 09:46:43 -0500 Subject: [PATCH] input: give file_cache_slot its own copy of the file path [PR118919] input.cc's file_cache was borrowing copies of the file name. This could lead to use-after-free when writing out sarif output from Fortran, which frees its filenames before the sarif output is fully written out. Fix by taking a copy in file_cache_slot. gcc/ChangeLog: PR other/118919 * input.cc (file_cache_slot::m_file_path): Make non-const. (file_cache_slot::evict): Free m_file_path. (file_cache_slot::create): Store a copy of file_path if non-null. (file_cache_slot::~file_cache_slot): Free m_file_path. Signed-off-by: David Malcolm --- gcc/input.cc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/gcc/input.cc b/gcc/input.cc index f0eacf59c8e..44017589a3d 100644 --- a/gcc/input.cc +++ b/gcc/input.cc @@ -134,10 +134,8 @@ public: unsigned m_use_count; /* The file_path is the key for identifying a particular file in - the cache. - For libcpp-using code, the underlying buffer for this field is - owned by the corresponding _cpp_file within the cpp_reader. */ - const char *m_file_path; + the cache. This copy is owned by the slot. */ + char *m_file_path; FILE *m_fp; @@ -395,6 +393,7 @@ file_cache::add_buffered_content (const char *file_path, void file_cache_slot::evict () { + free (m_file_path); m_file_path = NULL; if (m_fp) fclose (m_fp); @@ -492,7 +491,7 @@ file_cache_slot::create (const file_cache::input_context &in_context, const char *file_path, FILE *fp, unsigned highest_use_count) { - m_file_path = file_path; + m_file_path = file_path ? xstrdup (file_path) : nullptr; if (m_fp) fclose (m_fp); m_error = false; @@ -623,6 +622,7 @@ file_cache_slot::file_cache_slot () file_cache_slot::~file_cache_slot () { + free (m_file_path); if (m_fp) { fclose (m_fp);