diff options
| author | Andres Nötzli <andres.noetzli@gmail.com> | 2017-06-30 11:39:17 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-06-30 11:39:17 -0700 |
| commit | ae4089fb6ff60fd5af5a212d68b91928f94bb5f2 (patch) | |
| tree | 7a68514dce79ca91f72f9245120517a391075d44 | |
| parent | 303b91f3f5b8df1a884566a7d433ced17f0cd352 (diff) | |
Fix use-after-free with unsat cores/proofs (#174)
In TSatProof<Solver>::finalizeProof(), we got a clause from the clause
allocator, called resolveUnit() and then size() on the clause. The problem is
that resolveUnit() can reallocate memory (and there is even a comment warning
about that in finalizeProof()), which invalidates the clause. This commit gets
the clause again from the clause allocator before calling size().
| -rw-r--r-- | src/proof/sat_proof_implementation.h | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/src/proof/sat_proof_implementation.h b/src/proof/sat_proof_implementation.h index 6cb10450a..44d98e88e 100644 --- a/src/proof/sat_proof_implementation.h +++ b/src/proof/sat_proof_implementation.h @@ -903,13 +903,11 @@ void TSatProof<Solver>::finalizeProof(typename Solver::TCRef conflict_ref) { ResChain<Solver>* res = new ResChain<Solver>(conflict_id); // Here, the call to resolveUnit() can reallocate memory in the // clause allocator. So reload conflict ptr each time. - size_t conflict_size = getClause(conflict_ref).size(); - for (size_t i = 0; i < conflict_size; ++i) { + for (size_t i = 0; i < getClause(conflict_ref).size(); ++i) { const typename Solver::TClause& conflict = getClause(conflict_ref); typename Solver::TLit lit = conflict[i]; ClauseId res_id = resolveUnit(~lit); res->addStep(lit, res_id, !sign(lit)); - conflict_size = conflict.size(); } registerResolution(d_emptyClauseId, res); |