From 9e8519b7a2c765b427f85f0aaa456256785eceb7 Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Thu, 5 Apr 2018 23:26:06 +0200
Subject: fix use-after-free in BufMap.set()

closes #879
---
 std/buf_map.zig | 30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

(limited to 'std/buf_map.zig')

diff --git a/std/buf_map.zig b/std/buf_map.zig
index a58df4b2db..7e2ea99f1a 100644
--- a/std/buf_map.zig
+++ b/std/buf_map.zig
@@ -31,8 +31,8 @@ pub const BufMap = struct {
         if (self.hash_map.get(key)) |entry| {
             const value_copy = try self.copy(value);
             errdefer self.free(value_copy);
-            _ = try self.hash_map.put(key, value_copy);
-            self.free(entry.value);
+            const old_value = ??(try self.hash_map.put(key, value_copy));
+            self.free(old_value);
         } else {
             const key_copy = try self.copy(key);
             errdefer self.free(key_copy);
@@ -71,3 +71,29 @@ pub const BufMap = struct {
         return result;
     }
 };
+
+const assert = @import("debug/index.zig").assert;
+const heap = @import("heap.zig");
+
+test "BufMap" {
+    var direct_allocator = heap.DirectAllocator.init();
+    defer direct_allocator.deinit();
+
+    var bufmap = BufMap.init(&direct_allocator.allocator);
+    defer bufmap.deinit();
+
+    try bufmap.set("x", "1");
+    assert(mem.eql(u8, ??bufmap.get("x"), "1"));
+    assert(1 == bufmap.count());
+
+    try bufmap.set("x", "2");
+    assert(mem.eql(u8, ??bufmap.get("x"), "2"));
+    assert(1 == bufmap.count());
+
+    try bufmap.set("x", "3");
+    assert(mem.eql(u8, ??bufmap.get("x"), "3"));
+    assert(1 == bufmap.count());
+
+    bufmap.delete("x");
+    assert(0 == bufmap.count());
+}
-- 
cgit v1.2.3


From 58c6424d4fe64f88e25714d20d5755d31a7775c1 Mon Sep 17 00:00:00 2001
From: Andrew Kelley <superjoe30@gmail.com>
Date: Wed, 11 Apr 2018 00:32:42 -0400
Subject: simplify and fix BufMap logic

---
 std/buf_map.zig  | 33 ++++++++++++---------------------
 std/hash_map.zig |  6 +++++-
 2 files changed, 17 insertions(+), 22 deletions(-)

(limited to 'std/buf_map.zig')

diff --git a/std/buf_map.zig b/std/buf_map.zig
index 7e2ea99f1a..3e12d9a7d9 100644
--- a/std/buf_map.zig
+++ b/std/buf_map.zig
@@ -1,6 +1,8 @@
-const HashMap = @import("hash_map.zig").HashMap;
-const mem = @import("mem.zig");
+const std = @import("index.zig");
+const HashMap = std.HashMap;
+const mem = std.mem;
 const Allocator = mem.Allocator;
+const assert = std.debug.assert;
 
 /// BufMap copies keys and values before they go into the map, and
 /// frees them when they get removed.
@@ -28,18 +30,12 @@ pub const BufMap = struct {
     }
 
     pub fn set(self: &BufMap, key: []const u8, value: []const u8) !void {
-        if (self.hash_map.get(key)) |entry| {
-            const value_copy = try self.copy(value);
-            errdefer self.free(value_copy);
-            const old_value = ??(try self.hash_map.put(key, value_copy));
-            self.free(old_value);
-        } else {
-            const key_copy = try self.copy(key);
-            errdefer self.free(key_copy);
-            const value_copy = try self.copy(value);
-            errdefer self.free(value_copy);
-            _ = try self.hash_map.put(key_copy, value_copy);
-        }
+        self.delete(key);
+        const key_copy = try self.copy(key);
+        errdefer self.free(key_copy);
+        const value_copy = try self.copy(value);
+        errdefer self.free(value_copy);
+        _ = try self.hash_map.put(key_copy, value_copy);
     }
 
     pub fn get(self: &BufMap, key: []const u8) ?[]const u8 {
@@ -66,17 +62,12 @@ pub const BufMap = struct {
     }
 
     fn copy(self: &BufMap, value: []const u8) ![]const u8 {
-        const result = try self.hash_map.allocator.alloc(u8, value.len);
-        mem.copy(u8, result, value);
-        return result;
+        return mem.dupe(self.hash_map.allocator, u8, value);
     }
 };
 
-const assert = @import("debug/index.zig").assert;
-const heap = @import("heap.zig");
-
 test "BufMap" {
-    var direct_allocator = heap.DirectAllocator.init();
+    var direct_allocator = std.heap.DirectAllocator.init();
     defer direct_allocator.deinit();
 
     var bufmap = BufMap.init(&direct_allocator.allocator);
diff --git a/std/hash_map.zig b/std/hash_map.zig
index becced64ff..29dd233753 100644
--- a/std/hash_map.zig
+++ b/std/hash_map.zig
@@ -114,6 +114,7 @@ pub fn HashMap(comptime K: type, comptime V: type,
         }
 
         pub fn remove(hm: &Self, key: K) ?&Entry {
+            if (hm.entries.len == 0) return null;
             hm.incrementModificationCount();
             const start_index = hm.keyToIndex(key);
             {var roll_over: usize = 0; while (roll_over <= hm.max_distance_from_start_index) : (roll_over += 1) {
@@ -236,7 +237,10 @@ pub fn HashMap(comptime K: type, comptime V: type,
 }
 
 test "basic hash map usage" {
-    var map = HashMap(i32, i32, hash_i32, eql_i32).init(debug.global_allocator);
+    var direct_allocator = std.heap.DirectAllocator.init();
+    defer direct_allocator.deinit();
+
+    var map = HashMap(i32, i32, hash_i32, eql_i32).init(&direct_allocator.allocator);
     defer map.deinit();
 
     assert((map.put(1, 11) catch unreachable) == null);
-- 
cgit v1.2.3