Refactor ChangesetDiscussionBuilder to use offset instead of pointer for comment management to prevent corrupted memory access when the size of comments go larger and triggers buffer reallocation handling (e.g. changeset with id 62278154).

yarray · yarray · commit 110fe88d71c3 · 2025-07-01T23:17:29.000+08:00
diff --git a/include/osmium/builder/osm_object_builder.hpp b/include/osmium/builder/osm_object_builder.hpp
@@ -324,7 +324,7 @@ namespace osmium {
 
         class ChangesetDiscussionBuilder : public Builder {
 
-            osmium::ChangesetComment* m_comment = nullptr;
+            std::size_t m_comment_offset = SIZE_MAX;
 
             void add_user(osmium::ChangesetComment& comment, const char* user, const std::size_t length) {
                 if (length > osmium::max_osm_string_length) {
@@ -343,6 +343,16 @@ namespace osmium {
                 add_padding(true);
             }
 
+            // Get current comment pointer (recalculated each time to handle buffer reallocation)
+            osmium::ChangesetComment* get_comment_ptr() {
+                if (m_comment_offset == SIZE_MAX) {
+                    return nullptr;
+                }
+                return reinterpret_cast<osmium::ChangesetComment*>(
+                    buffer().data() + buffer().committed() + m_comment_offset
+                );
+            }
+
         public:
 
             explicit ChangesetDiscussionBuilder(osmium::memory::Buffer& buffer, Builder* parent = nullptr) :
@@ -362,32 +372,53 @@ namespace osmium {
             ChangesetDiscussionBuilder& operator=(ChangesetDiscussionBuilder&&) = delete;
 
             ~ChangesetDiscussionBuilder() {
-                assert(!m_comment && "You have to always call both add_comment() and then add_comment_text() in that order for each comment!");
+                assert(m_comment_offset == SIZE_MAX && "You have to always call both add_comment() and then add_comment_text() in that order for each comment!");
                 add_padding();
             }
 
             void add_comment(osmium::Timestamp date, osmium::user_id_type uid, const char* user) {
-                assert(!m_comment && "You have to always call both add_comment() and then add_comment_text() in that order for each comment!");
-                m_comment = reserve_space_for<osmium::ChangesetComment>();
-                new (m_comment) osmium::ChangesetComment{date, uid};
+                assert(m_comment_offset == SIZE_MAX && "You have to always call both add_comment() and then add_comment_text() in that order for each comment!");
+                
+                // Store offset instead of pointer to handle buffer reallocation
+                m_comment_offset = buffer().written() - buffer().committed();
+                
+                auto* comment = reserve_space_for<osmium::ChangesetComment>();
+                new (comment) osmium::ChangesetComment{date, uid};
                 add_size(sizeof(ChangesetComment));
-                add_user(*m_comment, user, std::strlen(user));
+                
+                auto* comment_ptr = get_comment_ptr();
+                add_user(*comment_ptr, user, std::strlen(user));
             }
 
             void add_comment_text(const char* text) {
-                assert(m_comment && "You have to always call both add_comment() and then add_comment_text() in that order for each comment!");
-                osmium::ChangesetComment& comment = *m_comment;
-                m_comment = nullptr;
+                assert(m_comment_offset != SIZE_MAX && "You have to always call both add_comment() and then add_comment_text() in that order for each comment!");
+                
+                // Get fresh pointer each time to handle buffer reallocation
+                auto* comment_ptr = get_comment_ptr();
+                osmium::ChangesetComment& comment = *comment_ptr;
+                
+                // Invalidate offset to ensure right adding order
+                m_comment_offset = SIZE_MAX;
+                
                 add_text(comment, text, std::strlen(text));
             }
 
             void add_comment_text(const std::string& text) {
-                assert(m_comment && "You have to always call both add_comment() and then add_comment_text() in that order for each comment!");
-                osmium::ChangesetComment& comment = *m_comment;
-                m_comment = nullptr;
+                assert(m_comment_offset != SIZE_MAX && "You have to always call both add_comment() and then add_comment_text() in that order for each comment!");
+                
+                // Get fresh pointer each time to handle buffer reallocation
+                auto* comment_ptr = get_comment_ptr();
+                osmium::ChangesetComment& comment = *comment_ptr;
+                
+                // Invalidate offset to ensure right adding order
+                m_comment_offset = SIZE_MAX;
+                
                 add_text(comment, text.c_str(), text.size());
             }
 
+            bool has_open_comment() const noexcept {
+                return m_comment_offset != SIZE_MAX;
+            }
         }; // class ChangesetDiscussionBuilder
 
 #define OSMIUM_FORWARD(setter) \
