BUG: Using pointer that points to a destructed string's content
David Bremner
david at tethera.net
Fri Dec 26 14:03:13 PST 2014
Tamas Szakaly <sghctoma at gmail.com> writes:
> The following line is from _notmuch_message_add_directory_terms in
> lib/message.cc (line 652 in HEAD):
>
> direntry = (*i).c_str ();
>
> 'i' is a Xapian::TermIterator, whose operator* returns a std::string by value.
> This means that c_str() is called on a temporary, which is destructed after the
> full expression (essentially the particular line in this case), so 'direntry'
> will point to a destructed std::string's data.
> (See https://gcc.gnu.org/onlinedocs/gcc/Temporaries.html)
Does the following patch fix it for you? I have to double check that
direntry wasn't needed for something, but the test suite passes ;).
diff --git a/lib/message.cc b/lib/message.cc
index a7a13cc..24d0d5b 100644
--- a/lib/message.cc
+++ b/lib/message.cc
@@ -649,10 +649,8 @@ _notmuch_message_add_directory_terms (void *ctx, notmuch_message_t *message)
/* Indicate that there are filenames remaining. */
status = NOTMUCH_STATUS_DUPLICATE_MESSAGE_ID;
- direntry = (*i).c_str ();
- direntry += direntry_prefix_len;
-
- directory_id = strtol (direntry, &colon, 10);
+ directory_id = strtol (
+ (*i).c_str () + direntry_prefix_len, &colon, 10);
if (colon == NULL || *colon != ':')
INTERNAL_ERROR ("malformed direntry");
More information about the notmuch
mailing list