diff options
author | Andres Notzli <andres.noetzli@gmail.com> | 2016-07-27 14:06:56 -0700 |
---|---|---|
committer | Andres Notzli <andres.noetzli@gmail.com> | 2016-07-27 21:39:39 -0700 |
commit | 2db836a8d785cb4d3c7f364dc5a968b5f6394b5c (patch) | |
tree | 9f9aecca77b6baa9d6cc95ab393ed92015bc762b /src/expr/expr_manager_template.h | |
parent | 490489a78beca486df5d4a0d8b7704e6235ca6fc (diff) |
Fix out-of-bounds access in ExprManager
The size of `d_exprStatisticsVars` was `LAST_TYPE` which was not enough
because the INC_STAT macro tries to access
`d_exprStatisticsVars[LAST_TYPE]` in some cases, resulting in an
out-of-bounds access. Found bug with UBSan.
Diffstat (limited to 'src/expr/expr_manager_template.h')
-rw-r--r-- | src/expr/expr_manager_template.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/expr/expr_manager_template.h b/src/expr/expr_manager_template.h index 31c911736..f30b720de 100644 --- a/src/expr/expr_manager_template.h +++ b/src/expr/expr_manager_template.h @@ -57,7 +57,7 @@ private: NodeManager* d_nodeManager; /** Counts of expressions and variables created of a given kind */ - IntStat* d_exprStatisticsVars[LAST_TYPE]; + IntStat* d_exprStatisticsVars[LAST_TYPE + 1]; IntStat* d_exprStatistics[kind::LAST_KIND]; /** |