Fix use-after-free when generating sourcemap types

We triggered a UAF because we call handleSourcemapUpdate twice, once per typechecker (autocomplete and non-autocomplete). However, the call to instanceTypes.clear() was moved into the handleSourcemapUpdate function, meaning it would clear the types created after the first call, causing a UAF. We fix this by moving the arena clear call to before update is called Fixes #657
JohnnyMorganz · Jun 24, 2024 · 1dfbc66 · 1dfbc66
1 parent 520ad44
commit 1dfbc66
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## [Unreleased]
 
+### Fixed
+
+- Fixed use-after-free when generating sourcemap types
+
 ## [1.30.0] - 2024-06-23
 
 ### Deprecated

diff --git a/src/platform/roblox/RobloxSourcemap.cpp b/src/platform/roblox/RobloxSourcemap.cpp
@@ -243,6 +243,8 @@ bool RobloxPlatform::updateSourceMap()
         workspaceFolder->frontend.clear();
         updateSourceNodeMap(sourceMapContents.value());
 
+        // Recreate instance types
+        instanceTypes.clear(); // NOTE: used across BOTH instances of handleSourcemapUpdate, don't clear in between!
         auto config = workspaceFolder->client->getConfiguration(workspaceFolder->rootUri);
         bool expressiveTypes = config.diagnostics.strictDatamodelTypes;
 
@@ -323,9 +325,6 @@ void RobloxPlatform::handleSourcemapUpdate(Luau::Frontend& frontend, const Luau:
         }
     }
 
-    // Recreate instance types
-    instanceTypes.clear();
-
     // Create a type for the root source node
     getSourcemapType(globals, instanceTypes, rootSourceNode);