Skip to content

GitLab

Closed
Created by Martin Heistermann@mheistermannDeveloper

SelectionBasePlugin::findObjectType dereferences a past-the-end iterator.

if obj is non-null, but selectionEnvironments is empty_, it will deref the end iterator.

Found this using glibc's checked iterator option:

/usr/bin/../lib/gcc/x86_64-linux-gnu/6.3.0/../../../../include/c++/6.3.0/debug/safe_iterator.h:284:
Error: attempt to dereference a past-the-end iterator.

Objects involved in the operation:
    iterator "this" @ 0x0x7fff72800988 {
      type = __gnu_debug::_Safe_iterator<std::_Rb_tree_iterator<std::pair<QString const, SelectionBasePlugin::SelectionEnvironment> >, std::__debug::map<QString, SelectionBasePlugin::SelectionEnvironment, std::less<QString>, std::allocator<std::pair<QString const, SelectionBasePlugin::SelectionEnvironment> > > > (mutable iterator);
      state = past-the-end;
      references sequence with type 'std::__debug::map<QString, SelectionBasePlugin::SelectionEnvironment, std::less<QString>, std::allocator<std::pair<QString const, SelectionBasePlugin::SelectionEnvironment> > >' @ 0x0x26f5cc8
    }
Command terminated by signal 6

Backtrace:

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
#1  0x00007f43907aa40a in __GI_abort () at abort.c:89
#2  0x00007f43910e65eb in __gnu_debug::_Error_formatter::_M_error() const () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#3  0x00007f42ca963f83 in __gnu_debug::_Safe_iterator<std::_Rb_tree_iterator<std::pair<QString const, SelectionBasePlugin::SelectionEnvironment> >, std::__debug::map<QString, SelectionBasePlugin::SelectionEnvironment, std::less<QString>, std::allocator<std::pair<QString const, SelectionBasePlugin::SelectionEnvironment> > > >::operator-> (
    this=0x7fff72800988) at /usr/bin/../lib/gcc/x86_64-linux-gnu/6.3.0/../../../../include/c++/6.3.0/debug/safe_iterator.h:282
#4  0x00007f42ca960062 in SelectionBasePlugin::findObjectType (this=<optimized out>, obj=<optimized out>, found=<optimized out>, env=<optimized out>, _id=<optimized out>)
    at /home/gitlab-runner/src/OpenFlipper-Free/PluginCollection-Selection/Plugin-SelectionBase/SelectionBasePlugin.cc:1823
#5  0x00007f42ca95faa1 in SelectionBasePlugin::addedEmptyObject (this=0x26f5c50, _id=2)
    at /home/gitlab-runner/src/OpenFlipper-Free/PluginCollection-Selection/Plugin-SelectionBase/SelectionBasePlugin.cc:1495
#6  0x00007f4391bac5e9 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#7  0x000000000065add1 in Core::emptyObjectAdded (this=0x2, _t1=<optimized out>)
    at /home/gitlab-runner/src/OpenFlipper-Free/build-RelWithDebInfo-clang4-asan/OpenFlipper/CoreApp/moc_Core.cpp:2996
#8  0x000000000055c540 in Core::slotEmptyObjectAdded (this=0x1d98380, _id=2) at /home/gitlab-runner/src/OpenFlipper-Free/OpenFlipper/Core/openFunctions.cc:771
#9  0x00007f4391bad499 in QObject::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
[...]