Page MenuHome GnuPG

[GPGME] Use-after-free problem in gpggencardkeyinteractor.cpp
Closed, ResolvedPublic

Description

Hi,

I am working on a bug finding tool that looks for a special kind of a use-after-free problem in C++ code (a "checker" module in the Clang Static Analyzer), and I've been running it on a few projects to see if it finds anything interesting. I first encountered the following problem when analyzing a fresh copy of LibreOffice (which is dependent on GPGME), but looking at the newest source code release of GPGME 1.11.1 found here, it still seems to be present.

In the file lang/cpp/src/gpggencardkeyinteractor.cpp, on line 135, we are returning a pointer to a memory region that is already deallocated at the point of return.

return std::to_string(d->keysize).c_str();

std::to_string() returns a string by value, a temporary object, on which c_str() is called to obtain a const char * pointing to its inner buffer. But the temporary string object is destroyed at the end of the return statement, and the caller receives a pointer that references a deallocated buffer.

I hope you find this report useful.

Best,
Réka

Event Timeline

Thanks for the report. I've commited a fix. (Returning the c_str here is ok as the data is not meant to be modified once "action" is called)
Please let us know if you find additional issues.

aheinecke claimed this task.