From ad9173df1f1707fb1f72b19b8b8a6902738cb410 Mon Sep 17 00:00:00 2001
From: Andreas Gampe <agampe@google.com>
Date: Thu, 22 Jun 2017 16:33:08 -0700
Subject: ART: Fix use-after-free

Fix use-after-free because of vector resize.

Bug: 62353392
Test: m test-art-host
Test: SANITIZE_HOST=address art/test/testrunner/testrunner.py -b --host -t 911
Change-Id: If6d925cb73d9e926ee90714e8682530e1990edf4
---
 runtime/openjdkjvmti/ti_stack.cc | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

(limited to 'runtime/openjdkjvmti/ti_stack.cc')

diff --git a/runtime/openjdkjvmti/ti_stack.cc b/runtime/openjdkjvmti/ti_stack.cc
index ee89372a68..a17226c55a 100644
--- a/runtime/openjdkjvmti/ti_stack.cc
+++ b/runtime/openjdkjvmti/ti_stack.cc
@@ -359,8 +359,8 @@ jvmtiError StackUtil::GetAllStackTraces(jvmtiEnv* env,
           self, thread->GetPeerFromOtherThread());
       thread_peers.push_back(peer);
 
-      frames.emplace_back();
-      return &frames.back();
+      frames.emplace_back(new std::vector<jvmtiFrameInfo>());
+      return frames.back().get();
     }
 
     art::Mutex mutex;
@@ -371,7 +371,7 @@ jvmtiError StackUtil::GetAllStackTraces(jvmtiEnv* env,
     // "thread_peers" contains global references to their peers.
     std::vector<jthread> thread_peers;
 
-    std::vector<std::vector<jvmtiFrameInfo>> frames;
+    std::vector<std::unique_ptr<std::vector<jvmtiFrameInfo>>> frames;
   };
 
   AllStackTracesData data;
@@ -396,7 +396,7 @@ jvmtiError StackUtil::GetAllStackTraces(jvmtiEnv* env,
     jvmtiStackInfo& stack_info = stack_info_array.get()[index];
     memset(&stack_info, 0, sizeof(jvmtiStackInfo));
 
-    const std::vector<jvmtiFrameInfo>& thread_frames = data.frames[index];
+    const std::vector<jvmtiFrameInfo>& thread_frames = *data.frames[index].get();
 
     // For the time being, set the thread to null. We'll fix it up in the second stage.
     stack_info.thread = nullptr;
@@ -503,8 +503,8 @@ jvmtiError StackUtil::GetThreadListStackTraces(jvmtiEnv* env,
           threads.push_back(thread);
           thread_list_indices.push_back(index);
 
-          frames.emplace_back();
-          return &frames.back();
+          frames.emplace_back(new std::vector<jvmtiFrameInfo>());
+          return frames.back().get();
         }
       }
       return nullptr;
@@ -521,7 +521,7 @@ jvmtiError StackUtil::GetThreadListStackTraces(jvmtiEnv* env,
     std::vector<art::Thread*> threads;
     std::vector<size_t> thread_list_indices;
 
-    std::vector<std::vector<jvmtiFrameInfo>> frames;
+    std::vector<std::unique_ptr<std::vector<jvmtiFrameInfo>>> frames;
   };
 
   SelectStackTracesData data;
@@ -558,7 +558,7 @@ jvmtiError StackUtil::GetThreadListStackTraces(jvmtiEnv* env,
     memset(&stack_info, 0, sizeof(jvmtiStackInfo));
 
     art::Thread* self = data.threads[index];
-    const std::vector<jvmtiFrameInfo>& thread_frames = data.frames[index];
+    const std::vector<jvmtiFrameInfo>& thread_frames = *data.frames[index].get();
 
     // For the time being, set the thread to null. We don't have good ScopedLocalRef
     // infrastructure.
-- 
cgit v1.2.3-59-g8ed1b