Triangles::clear () use-after-free #1757
Description
The clear() method looks like this:
void
Triangles::clear ()
{
m_edges_heap.clear ();
mp_triangles.clear ();
m_vertex_heap.clear ();
m_returned_edges.clear ();
m_is_constrained = false;
m_level = 0;
m_id = 0;
}However, mp_triangles contains pointers to objects stored in m_edges_heap, so running mp_triangles.clear (); after m_edges_heap.clear (); makes it "examine" objects that have already been free-ed in m_edges_heap.clear ();, which is a use-after-free.
As a "simple fix" I have come up with is just exchanging the two calls to clear().
@@ -1414,8 +1414,8 @@ Triangles::remove_outside_triangles ()
void
Triangles::clear ()
{
- m_edges_heap.clear ();
mp_triangles.clear ();
+ m_edges_heap.clear ();
m_vertex_heap.clear ();
m_returned_edges.clear ();
m_is_constrained = false;
but maybe my logic is wrong?
Overall it does not sound like a good practice, to have seemingly unrelated calls depend on the sequence. Something RAII-like would have been much nicer.
This is indicated by the test called dbTrianglesTests:triangulate_basic.
