mirrors/z3
3
0
Fork 0
mirror of https://github.com/Z3Prover/z3 synced 2025-04-29 20:05:51 +00:00
Code Activity

fix a couple hundred deref-after-free bugs due to .c_str() on a temporary string

Browse source
This commit is contained in:
Nuno Lopes 2020-07-11 20:24:45 +01:00
parent 48a9defb0d
commit 23e6adcad3
64 changed files with 248 additions and 229 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/cmd_context/basic_cmds.cpp
View file

@ -292,7 +292,7 @@ UNARY_CMD(set_logic_cmd, "set-logic", "<symbol>", "set the background logic.", C
ctx.print_success();
else {
std::string msg = "ignoring unsupported logic " + arg.str();
ctx.print_unsupported(symbol(msg.c_str()), m_line, m_pos);
ctx.print_unsupported(symbol(msg), m_line, m_pos);
}
);
@ -682,7 +682,7 @@ public:
ctx.regular_stream() << "(:status " << ctx.get_status() << ")" << std::endl;
}
else if (opt == m_reason_unknown) {
ctx.regular_stream() << "(:reason-unknown \"" << escaped(ctx.reason_unknown().c_str()) << "\")" << std::endl;
ctx.regular_stream() << "(:reason-unknown \"" << escaped(ctx.reason_unknown()) << "\")" << std::endl;
}
else if (opt == m_rlimit) {
ctx.regular_stream() << "(:rlimit " << ctx.m().limit().count() << ")" << std::endl;

7
src/cmd_context/check_logic.cpp
View file

@ -215,6 +215,11 @@ struct check_logic::imp {
struct failed {};
std::string m_last_error;
void fail(std::string &&msg) {
m_last_error = std::move(msg);
throw failed();
}
void fail(char const * msg) {
m_last_error = msg;
throw failed();
@ -473,7 +478,7 @@ struct check_logic::imp {
else {
std::stringstream strm;
strm << "logic does not support theory " << m.get_family_name(fid);
fail(strm.str().c_str());
fail(strm.str());
}
}

2
src/cmd_context/cmd_context.cpp
View file

@ -1656,7 +1656,7 @@ void cmd_context::display_model(model_ref& mdl) {
if (p.v1() || p.v2()) {
std::ostringstream buffer;
model_v2_pp(buffer, *mdl, false);
regular_stream() << "\"" << escaped(buffer.str().c_str(), true) << "\"" << std::endl;
regular_stream() << '"' << escaped(buffer.str(), true) << '"' << std::endl;
} else {
regular_stream() << "(model " << std::endl;
model_smt2_pp(regular_stream(), *this, *mdl, 2);

4
src/cmd_context/parametric_cmd.cpp
View file

@ -26,7 +26,7 @@ char const * parametric_cmd::get_descr(cmd_context & ctx) const {
m_descr->append("\nThe following options are available:\n");
std::ostringstream buf;
pdescrs(ctx).display(buf, 2);
m_descr->append(buf.str().c_str());
m_descr->append(buf.str());
}
return m_descr->c_str();
}
@ -38,7 +38,7 @@ cmd_arg_kind parametric_cmd::next_arg_kind(cmd_context & ctx) const {
void parametric_cmd::set_next_arg(cmd_context & ctx, symbol const & s) {
if (m_last == symbol::null) {
m_last = symbol(norm_param_name(s).c_str());
m_last = symbol(norm_param_name(s));
if (pdescrs(ctx).get_kind(m_last.bare_str()) == CPK_INVALID)
throw cmd_exception("invalid keyword argument");
return;

12
src/cmd_context/pdecl.cpp
View file

@ -808,13 +808,13 @@ struct pdecl_manager::app_sort_info : public pdecl_manager::sort_info {
format * pp(pdecl_manager const & m) const override {
if (m_args.empty()) {
return mk_string(m.m(), m_decl->get_name().str().c_str());
return mk_string(m.m(), m_decl->get_name().str());
}
else {
ptr_buffer<format> b;
for (auto arg : m_args)
b.push_back(m.pp(arg));
return mk_seq1(m.m(), b.begin(), b.end(), f2f(), m_decl->get_name().str().c_str());
return mk_seq1(m.m(), b.begin(), b.end(), f2f(), m_decl->get_name().str());
}
}
};
@ -846,11 +846,11 @@ struct pdecl_manager::indexed_sort_info : public pdecl_manager::sort_info {
format * pp(pdecl_manager const & m) const override {
if (m_indices.empty()) {
return mk_string(m.m(), m_decl->get_name().str().c_str());
return mk_string(m.m(), m_decl->get_name().str());
}
else {
ptr_buffer<format> b;
b.push_back(mk_string(m.m(), m_decl->get_name().str().c_str()));
b.push_back(mk_string(m.m(), m_decl->get_name().str()));
for (auto idx : m_indices)
b.push_back(mk_unsigned(m.m(), idx));
return mk_seq1(m.m(), b.begin(), b.end(), f2f(), "_");
@ -1076,11 +1076,11 @@ format * pdecl_manager::pp(sort * s) const {
if (i == num_params) {
// all parameters are integer
ptr_buffer<format> b;
b.push_back(mk_string(m(), s->get_name().str().c_str()));
b.push_back(mk_string(m(), s->get_name().str()));
for (unsigned i = 0; i < num_params; i++)
b.push_back(mk_unsigned(m(), s->get_parameter(i).get_int()));
return mk_seq1(m(), b.begin(), b.end(), f2f(), "_");
}
}
return mk_string(m(), s->get_name().str().c_str());
return mk_string(m(), s->get_name().str());
}

7
src/cmd_context/tactic_cmds.cpp
View file

@ -77,8 +77,7 @@ ATOMIC_CMD(get_user_tactics_cmd, "get-user-tactics", "display tactics defined us
it->m_value->display(buf);
buf << ")";
}
std::string r = buf.str();
ctx.regular_stream() << escaped(r.c_str());
ctx.regular_stream() << escaped(buf.str());
ctx.regular_stream() << ")\n";
});
@ -112,7 +111,7 @@ void help_tactic(cmd_context & ctx) {
probe_info * pinfo = *it2;
buf << "- " << pinfo->get_name() << " " << pinfo->get_descr() << "\n";
}
ctx.regular_stream() << "\"" << escaped(buf.str().c_str()) << "\"\n";
ctx.regular_stream() << '"' << escaped(buf.str()) << "\"\n";
}
ATOMIC_CMD(help_tactic_cmd, "help-tactic", "display the tactic combinators and primitives.", help_tactic(ctx););
@ -507,7 +506,7 @@ static tactic * mk_using_params(cmd_context & ctx, sexpr * n) {
throw cmd_exception("invalid using-params combinator, keyword expected", c->get_line(), c->get_pos());
if (i == num_children)
throw cmd_exception("invalid using-params combinator, parameter value expected", c->get_line(), c->get_pos());
symbol param_name = symbol(norm_param_name(c->get_symbol()).c_str());
symbol param_name = symbol(norm_param_name(c->get_symbol()));
c = n->get_child(i);
i++;
switch (descrs.get_kind_in_module(param_name)) {