fix a couple hundred deref-after-free bugs due to .c_str() on a temporary string

2025-04-23 09:05:31 +00:00 · 2020-07-11 20:24:45 +01:00 · 2020-07-11 20:24:45 +01:00 · 23e6adcad3
commit 23e6adcad3
parent 48a9defb0d
64 changed files with 248 additions and 229 deletions
--- a/src/api/api_bv.cpp
+++ b/src/api/api_bv.cpp
@ -117,7 +117,8 @@ Z3_ast Z3_API NAME(Z3_context c, unsigned i, Z3_ast n) {                \
            Z3_sort s = Z3_get_sort(c, n);
            unsigned sz = Z3_get_bv_sort_size(c, s);
            rational max_bound = power(rational(2), sz);
-            Z3_ast bound = Z3_mk_numeral(c, max_bound.to_string().c_str(), int_s);
+            auto str = max_bound.to_string();
+            Z3_ast bound = Z3_mk_numeral(c, str.c_str(), int_s);
            Z3_inc_ref(c, bound);
            Z3_ast zero = Z3_mk_int(c, 0, s);
            Z3_inc_ref(c, zero);
--- a/src/api/api_datalog.cpp
+++ b/src/api/api_datalog.cpp
@ -677,9 +677,11 @@ extern "C" {
        
        to_fixedpoint_ref(d)->ctx().get_rules_along_trace_as_formulas(rules, names);
        for (unsigned i = 0; i < names.size(); ++i) {
-            ss << ";" << names[i].str();
+            if (i != 0)
+                ss << ';';
+            ss << names[i].str();
        }
-        return of_symbol(symbol(ss.str().substr(1).c_str()));
+        return of_symbol(symbol(ss.str()));
        Z3_CATCH_RETURN(of_symbol(symbol::null));
    }

--- a/src/api/api_numeral.cpp
+++ b/src/api/api_numeral.cpp
@ -191,7 +191,7 @@ extern "C" {
        if (ok && r.is_int() && !r.is_neg()) {
            std::stringstream strm;
            r.display_bin(strm, r.get_num_bits());
-            return mk_c(c)->mk_external_string(strm.str().c_str());
+            return mk_c(c)->mk_external_string(strm.str());
        }
        else {
            SET_ERROR_CODE(Z3_INVALID_ARG, nullptr);
--- a/src/api/api_params.cpp
+++ b/src/api/api_params.cpp
@ -66,7 +66,8 @@ extern "C" {
        Z3_TRY;
        LOG_Z3_params_set_bool(c, p, k, v);
        RESET_ERROR_CODE();
-        to_params(p)->m_params.set_bool(norm_param_name(to_symbol(k)).c_str(), v);
+        auto name = norm_param_name(to_symbol(k));
+        to_params(p)->m_params.set_bool(name.c_str(), v);
        Z3_CATCH;
    }

@ -77,7 +78,8 @@ extern "C" {
        Z3_TRY;
        LOG_Z3_params_set_uint(c, p, k, v);
        RESET_ERROR_CODE();
-        to_params(p)->m_params.set_uint(norm_param_name(to_symbol(k)).c_str(), v);
+        auto name = norm_param_name(to_symbol(k));
+        to_params(p)->m_params.set_uint(name.c_str(), v);
        Z3_CATCH;
    }

@ -88,7 +90,8 @@ extern "C" {
        Z3_TRY;
        LOG_Z3_params_set_double(c, p, k, v);
        RESET_ERROR_CODE();
-        to_params(p)->m_params.set_double(norm_param_name(to_symbol(k)).c_str(), v);
+        auto name = norm_param_name(to_symbol(k));
+        to_params(p)->m_params.set_double(name.c_str(), v);
        Z3_CATCH;
    }

@ -99,7 +102,8 @@ extern "C" {
        Z3_TRY;
        LOG_Z3_params_set_symbol(c, p, k, v);
        RESET_ERROR_CODE();
-        to_params(p)->m_params.set_sym(norm_param_name(to_symbol(k)).c_str(), to_symbol(v));
+        auto name = norm_param_name(to_symbol(k));
+        to_params(p)->m_params.set_sym(name.c_str(), to_symbol(v));
        Z3_CATCH;
    }
    
--- a/src/api/c++/z3++.h
+++ b/src/api/c++/z3++.h
@ -74,7 +74,7 @@ namespace z3 {

    inline void set_param(char const * param, char const * value) { Z3_global_param_set(param, value); }
    inline void set_param(char const * param, bool value) { Z3_global_param_set(param, value ? "true" : "false"); }
-    inline void set_param(char const * param, int value) { std::ostringstream oss; oss << value; Z3_global_param_set(param, oss.str().c_str()); }
+    inline void set_param(char const * param, int value) { auto str = std::to_string(value); Z3_global_param_set(param, str.c_str()); }
    inline void reset_params() { Z3_global_param_reset_all(); }

    /**
@ -122,9 +122,8 @@ namespace z3 {
           \brief Set global parameter \c param with integer \c value.
        */
        void set(char const * param, int value) {
-            std::ostringstream oss;
-            oss << value;
-            Z3_set_param_value(m_cfg, param, oss.str().c_str());
+            auto str = std::to_string(value);
+            Z3_set_param_value(m_cfg, param, str.c_str());
        }
    };

@ -211,9 +210,8 @@ namespace z3 {
           \brief Update global parameter \c param with Integer \c value.
        */
        void set(char const * param, int value) {
-            std::ostringstream oss;
-            oss << value;
-            Z3_update_param_value(m_ctx, param, oss.str().c_str());
+            auto str = std::to_string(value);
+            Z3_update_param_value(m_ctx, param, str.c_str());
        }

        /**
@ -2839,9 +2837,8 @@ namespace z3 {
        }
        handle add(expr const& e, unsigned weight) {
            assert(e.is_bool());
-            std::stringstream strm;
-            strm << weight;
-            return handle(Z3_optimize_assert_soft(ctx(), m_opt, e, strm.str().c_str(), 0));
+            auto str = std::to_string(weight);
+            return handle(Z3_optimize_assert_soft(ctx(), m_opt, e, str.c_str(), 0));
        }
        void add(expr const& e, expr const& t) {
            assert(e.is_bool());