kroening
commented
4 months ago It's in this rule:
attribute : NAME EQ VALUE { xml_parser.current().set_attribute( xmlt::unescape($1), xmlt::unescape($3)); free($1); free($3);} ;
xmlt::unescape takes an std::string, so copies. Tough to see where the double-free happens. It may well be the case that CodeQL can't distinguish $1 from $3.
https://github.com/diffblue/cbmc/security/code-scanning/4 reports a double free without giving a detailed example or trace. Trying to reproduce a
freeat source line 1235 on Ubuntu 22.04 (Bison 3.8.2) is failing for me for that line is just blank. It is still possible that CodeQL is right for the XML parser does usefreein a couple of places. Likely requires setting up CodeQL CLI to reproduce with local source code.