'use-after-dtor' issue in StaticDecoder.cpp

[pavik]

Issue appears in EMA library when decoding JSON payload in StaticDecoder::setRsslData
Callstack:

void StaticDecoder::setRsslData( Data* pData, RsslBuffer* pRsslBuffer, RsslDataType rsslType, UInt8 majVer, UInt8 minVer, const RsslDataDictionary* dictionary )
{
     ...
     morph( pData, dType );   // calls destructor on pData
     if ( !pData->getDecoder().setRsslData( majVer, minVer, pRsslBuffer, dictionary, 0 ) )  // <- pure virt function call leads to crash
     ...
}
...
void StaticDecoder::morph( Data* data, DataType::DataTypeEnum dType )
{
	if ( data->getDataType() != dType )
	{
             data->~Data();  // <- object destroyed
             StaticDecoder::create( data, dType );    // <- switch/case does not have default branch so object remains destroyed
	}
}

Hope I explained well, feel free to ask more details if needed.

[ViktorYelizarov]

@pavik Thank you for bringing this issue to our attention! We created an internal Jira to investigate it.

[ViktorYelizarov]

@pavik Could you provide an example how to reproduce this issue?

[pavik]

Unfortunately I can't provide code snippet it is proprietary. In a nutshell, ETA provider sends refresh message with json payload and EMA consumer initiate request. btw, there is no json data type in EMA DataTypeEnum, it is detected as NoDataEnum. Fortunately payload can be read via msg.getPayload().getData().getAsHex().c_buf(). imho, anyway better to fix, it is dangerous code path that can leave object in destructed state.