github
False positives in cpp/use-after-free
I'm getting about 20 of these on my code but I'll only show one because they're all the same.
CodeQL is identifying this as a potential use after free because there's a delete[] on line 3 of this sample. But line 5 calls new[] so the pointer used on line 6 should never be dangerous to use. I don't know if CodeQL is confused by the number of pointers but this isn't an issue.
Step 1 pointer to operator delete[] output argument Step 2 *m_CSEngine [post update] [m_arrSpeedInit] Step 3 *m_pRaw [post update] [*m_CSEngine, m_arrSpeedInit] Step 4 *this [post update] [*m_pRaw, *m_CSEngine, m_arrSpeedInit] Step 5 *this [*m_pRaw, *m_CSEngine, m_arrSpeedInit] Step 6 *m_pRaw [*m_CSEngine, m_arrSpeedInit] Step 7 *m_CSEngine [m_arrSpeedInit] Step 8 m_arrSpeedInit - Memory may have been previously freed by delete[].
if (((CRawDetectionPlate*)m_pRaw)->m_CSEngine->m_arrSpeedInit!=NULL)
{
delete []((CRawDetectionPlate*)m_pRaw)->m_CSEngine->m_arrSpeedInit; // <- Steps 1, 2, 3, 4
}
((CRawDetectionPlate*)m_pRaw)->m_CSEngine->m_arrSpeedInit = new int[((CRawDetectionPlate*)m_pRaw)->m_CSEngine->m_numberObj];
memcpy(((CRawDetectionPlate*)m_pRaw)->m_CSEngine->m_arrSpeedInit,(BYTE*)p+pos,((CRawDetectionPlate*)m_pRaw)->m_CSEngine->m_numberObj*sizeof(int)); // <- Steps 5, 6, 7, 8
Hi @parsley72,
Thanks for detailed reporting on this. I've opened an internal issue to track this. It looks like our dataflow library fails to conclude that ((CRawDetectionPlate*)m_pRaw)->m_CSEngine->m_arrSpeedInit = new int[...] clears the current value of m_arrSpeedInit, and thus the "deleted value" coming out of delete [] ... incorrectly reaches the memcpy argument.
I'll discuss with the team how to handle this, and I'll let you know as soon as we have a fix 🙂
