[clang] Fix a use-after free in ASTContext::getSubstBuiltinTemplatePack (#160970)

alexfh · web-flow · commit 61012483df44 · 2025-09-27T08:38:46.000+02:00
ASTContext::getSubstBuiltinTemplatePack finds InsertPos and then calls itself recursively, which may lead to rehashing and invalidation of all pointers to buckets. The function then proceeds with using the potentially invalid InsertPos, leading to use-after-free. The issue goes back to #157662. I didn't manage to produce a reasonably-sized test case yet.
diff --git a/clang/lib/AST/ASTContext.cpp b/clang/lib/AST/ASTContext.cpp
@@ -5873,8 +5873,14 @@ ASTContext::getSubstBuiltinTemplatePack(const TemplateArgument &ArgPack) {
 
   QualType Canon;
   TemplateArgument CanonArgPack = getCanonicalTemplateArgument(ArgPack);
-  if (!CanonArgPack.structurallyEquals(ArgPack))
+  if (!CanonArgPack.structurallyEquals(ArgPack)) {
     Canon = getSubstBuiltinTemplatePack(CanonArgPack);
+    // Refresh InsertPos, in case the recursive call above caused rehashing,
+    // which would invalidate the bucket pointer.
+    [[maybe_unused]] const auto *Nothing =
+        SubstBuiltinTemplatePackTypes.FindNodeOrInsertPos(ID, InsertPos);
+    assert(!Nothing);
+  }
 
   auto *PackType = new (*this, alignof(SubstBuiltinTemplatePackType))
       SubstBuiltinTemplatePackType(Canon, ArgPack);
