https://gcc.gnu.org/g:ee6619b1246b38cfb36f6efd931a6f475a9033c7
commit r15-7627-gee6619b1246b38cfb36f6efd931a6f475a9033c7
Author: David Malcolm <dmalc...@redhat.com>
Date: Wed Feb 19 09:46:43 2025 -0500
input: give file_cache_slot its own copy of the file path [PR118919]
input.cc's file_cache was borrowing copies of the file name.
This could lead to use-after-free when writing out sarif output
from Fortran, which frees its filenames before the sarif output
is fully written out.
Fix by taking a copy in file_cache_slot.
gcc/ChangeLog:
PR other/118919
* input.cc (file_cache_slot::m_file_path): Make non-const.
(file_cache_slot::evict): Free m_file_path.
(file_cache_slot::create): Store a copy of file_path if non-null.
(file_cache_slot::~file_cache_slot): Free m_file_path.
Signed-off-by: David Malcolm <dmalc...@redhat.com>
Diff:
---
gcc/input.cc | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/gcc/input.cc b/gcc/input.cc
index f0eacf59c8e2..44017589a3d1 100644
--- a/gcc/input.cc
+++ b/gcc/input.cc
@@ -134,10 +134,8 @@ public:
unsigned m_use_count;
/* The file_path is the key for identifying a particular file in
- the cache.
- For libcpp-using code, the underlying buffer for this field is
- owned by the corresponding _cpp_file within the cpp_reader. */
- const char *m_file_path;
+ the cache. This copy is owned by the slot. */
+ char *m_file_path;
FILE *m_fp;
@@ -395,6 +393,7 @@ file_cache::add_buffered_content (const char *file_path,
void
file_cache_slot::evict ()
{
+ free (m_file_path);
m_file_path = NULL;
if (m_fp)
fclose (m_fp);
@@ -492,7 +491,7 @@ file_cache_slot::create (const file_cache::input_context
&in_context,
const char *file_path, FILE *fp,
unsigned highest_use_count)
{
- m_file_path = file_path;
+ m_file_path = file_path ? xstrdup (file_path) : nullptr;
if (m_fp)
fclose (m_fp);
m_error = false;
@@ -623,6 +622,7 @@ file_cache_slot::file_cache_slot ()
file_cache_slot::~file_cache_slot ()
{
+ free (m_file_path);
if (m_fp)
{
fclose (m_fp);
