I am working on a bug finding tool that looks for a special kind of a use-after-free problem in C++ code (a "checker" module in the Clang Static Analyzer), and I've been running it on a few projects to see if it finds anything interesting. I first encountered the following problem when analyzing a fresh copy of LibreOffice (which is dependent on GPGME), but looking at the newest source code release of GPGME 1.11.1 found here, it still seems to be present.
In the file lang/cpp/src/gpggencardkeyinteractor.cpp, on line 135, we are returning a pointer to a memory region that is already deallocated at the point of return.
std::to_string() returns a string by value, a temporary object, on which c_str() is called to obtain a const char * pointing to its inner buffer. But the temporary string object is destroyed at the end of the return statement, and the caller receives a pointer that references a deallocated buffer.
I hope you find this report useful.