Fix heap-use-after-free in Parser error handling

glebm · xzyfer · commit 930857ce4938 · 2018-11-23T19:02:00.000+11:00
Fixes #2643
diff --git a/src/error_handling.cpp b/src/error_handling.cpp
@@ -15,8 +15,8 @@ namespace Sass {
       prefix("Error"), pstate(pstate), traces(traces)
     { }
 
-    InvalidSass::InvalidSass(ParserState pstate, Backtraces traces, std::string msg)
-    : Base(pstate, msg, traces)
+    InvalidSass::InvalidSass(ParserState pstate, Backtraces traces, std::string msg, char* owned_src)
+    : Base(pstate, msg, traces), owned_src(owned_src)
     { }
 
 
diff --git a/src/error_handling.hpp b/src/error_handling.hpp
@@ -37,8 +37,9 @@ namespace Sass {
 
     class InvalidSass : public Base {
       public:
-        InvalidSass(ParserState pstate, Backtraces traces, std::string msg);
-        virtual ~InvalidSass() throw() {};
+        InvalidSass(ParserState pstate, Backtraces traces, std::string msg, char* owned_src = nullptr);
+        virtual ~InvalidSass() throw() { sass_free_memory(owned_src); };
+        char *owned_src;
     };
 
     class InvalidParent : public Base {
diff --git a/src/parser.cpp b/src/parser.cpp
@@ -3054,8 +3054,11 @@ namespace Sass {
   {
     Position p(pos.line ? pos : before_token);
     ParserState pstate(path, source, p, Offset(0, 0));
+    // `pstate.src` may not outlive stack unwind so we must copy it.
+    char *src_copy = sass_copy_c_string(pstate.src);
+    pstate.src = src_copy;
     traces.push_back(Backtrace(pstate));
-    throw Exception::InvalidSass(pstate, traces, msg);
+    throw Exception::InvalidSass(pstate, traces, msg, src_copy);
   }
 
   void Parser::error(std::string msg)

Original file line number	Diff line number	Diff line change
`@@ -3054,8 +3054,11 @@ namespace Sass {`
`3054`	`3054`	`{`
`3055`	`3055`	`Position p(pos.line ? pos : before_token);`
`3056`	`3056`	`ParserState pstate(path, source, p, Offset(0, 0));`
	`3057`	+ // `pstate.src` may not outlive stack unwind so we must copy it.
	`3058`	`+ char *src_copy = sass_copy_c_string(pstate.src);`
	`3059`	`+ pstate.src = src_copy;`
`3057`	`3060`	`traces.push_back(Backtrace(pstate));`
`3058`		`- throw Exception::InvalidSass(pstate, traces, msg);`
	`3061`	`+ throw Exception::InvalidSass(pstate, traces, msg, src_copy);`
`3059`	`3062`	`}`
`3060`	`3063`
`3061`	`3064`	`void Parser::error(std::string msg)`