fix: prevent use-after-free in MarkerBox

getroot · getroot · commit 2f2943a3fa87 · 2026-03-06T00:11:41.000+09:00
diff --git a/src/projects/base/modules/marker/marker_box.cpp b/src/projects/base/modules/marker/marker_box.cpp
@@ -515,7 +515,7 @@ std::vector<std::shared_ptr<Marker>> MarkerBox::PopMarkers(int64_t start_timesta
 	std::vector<std::shared_ptr<Marker>> markers;
 	for (auto it = _markers_by_timestamp.begin(); it != _markers_by_timestamp.end();)
 	{
-		auto &marker = it->second;
+		auto marker = it->second;  // copy shared_ptr to prevent use-after-free after erase
 		if (marker->GetTimestamp() >= start_timestamp && marker->GetTimestamp() < end_timestamp)
 		{
 			markers.push_back(marker);
@@ -538,7 +538,7 @@ std::vector<std::shared_ptr<Marker>> MarkerBox::PopMarkers(int64_t end_timestamp
 	std::vector<std::shared_ptr<Marker>> markers;
 	for (auto it = _markers_by_timestamp.begin(); it != _markers_by_timestamp.end();)
 	{
-		auto &marker = it->second;
+		auto marker = it->second;  // copy shared_ptr to prevent use-after-free after erase
 		if (marker->GetTimestamp() < end_timestamp)
 		{
 			markers.push_back(marker);
@@ -570,8 +570,9 @@ bool MarkerBox::RemoveMarker(int64_t timestamp)
 		return false;
 	}
 
+	auto seq_num = it->second->GetDesiredSequenceNumber();  // save before erase invalidates iterator
 	_markers_by_timestamp.erase(it);
-	_markers_by_sequence_number.erase(it->second->GetDesiredSequenceNumber());
+	_markers_by_sequence_number.erase(seq_num);
 
 	return true;
 }
@@ -582,7 +583,7 @@ void MarkerBox::RemoveExpiredMarkers(int64_t current_timestamp)
 
 	for (auto it = _markers_by_timestamp.begin(); it != _markers_by_timestamp.end();)
 	{
-		auto &marker = it->second;
+		auto marker = it->second;  // copy shared_ptr to prevent use-after-free after erase
 		if (marker->GetTimestamp() < current_timestamp)
 		{
 			logtc("Remove expired marker:(%" PRId64 ") %" PRId64 " - %s", current_timestamp, marker->GetTimestamp(), marker->GetTag().CStr());

Original file line number	Diff line number	Diff line change
`@@ -515,7 +515,7 @@ std::vector<std::shared_ptr<Marker>> MarkerBox::PopMarkers(int64_t start_timesta`
`515`	`515`	`std::vector<std::shared_ptr<Marker>> markers;`
`516`	`516`	`for (auto it = _markers_by_timestamp.begin(); it != _markers_by_timestamp.end();)`
`517`	`517`	`{`
`518`		`- auto &marker = it->second;`
	`518`	`+ auto marker = it->second; // copy shared_ptr to prevent use-after-free after erase`
`519`	`519`	`if (marker->GetTimestamp() >= start_timestamp && marker->GetTimestamp() < end_timestamp)`
`520`	`520`	`{`
`521`	`521`	`markers.push_back(marker);`
`@@ -538,7 +538,7 @@ std::vector<std::shared_ptr<Marker>> MarkerBox::PopMarkers(int64_t end_timestamp`
`538`	`538`	`std::vector<std::shared_ptr<Marker>> markers;`
`539`	`539`	`for (auto it = _markers_by_timestamp.begin(); it != _markers_by_timestamp.end();)`
`540`	`540`	`{`
`541`		`- auto &marker = it->second;`
	`541`	`+ auto marker = it->second; // copy shared_ptr to prevent use-after-free after erase`
`542`	`542`	`if (marker->GetTimestamp() < end_timestamp)`
`543`	`543`	`{`
`544`	`544`	`markers.push_back(marker);`
`@@ -570,8 +570,9 @@ bool MarkerBox::RemoveMarker(int64_t timestamp)`
`570`	`570`	`return false;`
`571`	`571`	`}`
`572`	`572`
	`573`	`+ auto seq_num = it->second->GetDesiredSequenceNumber(); // save before erase invalidates iterator`
`573`	`574`	`_markers_by_timestamp.erase(it);`
`574`		`- _markers_by_sequence_number.erase(it->second->GetDesiredSequenceNumber());`
	`575`	`+ _markers_by_sequence_number.erase(seq_num);`
`575`	`576`
`576`	`577`	`return true;`
`577`	`578`	`}`
`@@ -582,7 +583,7 @@ void MarkerBox::RemoveExpiredMarkers(int64_t current_timestamp)`
`582`	`583`
`583`	`584`	`for (auto it = _markers_by_timestamp.begin(); it != _markers_by_timestamp.end();)`
`584`	`585`	`{`
`585`		`- auto &marker = it->second;`
	`586`	`+ auto marker = it->second; // copy shared_ptr to prevent use-after-free after erase`
`586`	`587`	`if (marker->GetTimestamp() < current_timestamp)`
`587`	`588`	`{`
`588`	`589`	`logtc("Remove expired marker:(%" PRId64 ") %" PRId64 " - %s", current_timestamp, marker->GetTimestamp(), marker->GetTag().CStr());`