Skip to content

Fix use-after-free in QuicRangeRemoveRange middle-split path#5882

Open
guhetier wants to merge 1 commit intomainfrom
guhetier/fix-range-uaf_copilot
Open

Fix use-after-free in QuicRangeRemoveRange middle-split path#5882
guhetier wants to merge 1 commit intomainfrom
guhetier/fix-range-uaf_copilot

Conversation

@guhetier
Copy link
Collaborator

@guhetier guhetier commented Mar 20, 2026

Description

Fix use-after-free in QuicRangeRemoveRange (src/core/range.c). In the middle-split path, the Sub pointer captured before QuicRangeMakeSpace becomes dangling when MakeSpace triggers QuicRangeGrow, which frees the old heap-allocated SubRanges array. The subsequent *NewSub = *Sub reads from freed memory.

Fix: Copy *Sub to a stack-local QUIC_SUBRANGE before calling MakeSpace, then assign the saved value to *NewSub.

Trigger conditions (all required):

  1. UsedLength == AllocLength (array at capacity)
  2. AllocLength > QUIC_RANGE_INITIAL_SUB_COUNT (8) old array is heap-allocated
  3. Middle-overlap case in RemoveRange

Fixes #5824

Testing

New test RangeTest.RemoveRangeMiddleSplitWithGrow added. It fills 16 subranges (forcing heap allocation at AllocLength=16), then splits one via RemoveRange to trigger growth from 16 to 32.

Verified with Application Verifier (Page Heap):

  • Without fix: SEH exception 0xc0000005 (access violation)
  • With fix: All 42 RangeTest cases pass

Documentation

No documentation impact.

@guhetier
Fix use-after-free in QuicRangeRemoveRange middle-split path
bf9951a 
In QuicRangeRemoveRange, the Sub pointer captured before
QuicRangeMakeSpace becomes dangling when MakeSpace triggers
QuicRangeGrow, which frees the old heap-allocated SubRanges
array. The subsequent *NewSub = *Sub reads from freed memory.

Fix: copy *Sub to a stack-local QUIC_SUBRANGE before calling
MakeSpace, then assign the saved value to *NewSub.

Add regression test RemoveRangeMiddleSplitWithGrow that fills
16 subranges (forcing heap allocation at AllocLength=16), then
splits one via RemoveRange to trigger growth from 16 to 32.

Fixes: #5824

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@guhetier guhetier requested a review from a team as a code owner March 20, 2026 19:36
@codecov
Copy link

codecov bot commented Mar 20, 2026

Codecov Report

❌ Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.85%. Comparing base (3cb76b0) to head (bf9951a).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
src/core/range.c 0.00% 2 Missing ⚠️

❌ Your patch check has failed because the patch coverage (0.00%) is below the target coverage (80.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5882      +/-   ##
==========================================
- Coverage   86.14%   84.85%   -1.29%     
==========================================
  Files          60       60              
  Lines       18732    18733       +1     
==========================================
- Hits        16136    15896     -240     
- Misses       2596     2837     +241

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Potential use-after-free in QuicRangeRemoveRange middle-split path.

1 participant

@guhetier