godzil/ack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix bugs with memory allocation in ego.

Browse Source 
cf/cf_loop.c and share/put.c tried to read the next pointer in an
element of a linked list after freeing the element.  ud/ud_copy.c
tried to read beyond the end of the _defs_ array: it only has
_nrexpldefs_ elements, not _nrdefs_ elements.

These bugs caused core dumps on OpenBSD.  Its malloc() put _defs_ near
the end of a page, so reading beyond the end crossed into an unmapped
page.  Its free() wrote junk bytes and changed the next pointer to
0xdfdfdfdfdfdfdfdf.
This commit is contained in:
George Koehler
2016-09-09 23:37:43 -04:00
parent 8c94b1316c
commit b1d1b5e1f8
3 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
util/ego/cf/cf_loop.c
View File

@@ -171,9 +171,12 @@ STATIC collapse_loops(loops_p)
for (li1 = Lfirst(*loops_p); li1 != (Lindex) 0; li1 = Lnext(li1,*loops_p)) {
lp1 = (loop_p) Lelem(li1);
lp1->lp_level = (short) 0;
for (li2 = Lfirst(*loops_p); li2 != (Lindex) 0;
li2 = Lnext(li2,*loops_p)) {
/* Lnext(li2,*loops_p) must happen before
* Lremove(lp2,loops_p) releases the memory for li2.
*/
for (li2 = Lfirst(*loops_p); li2 != (Lindex) 0;) {
lp2 = (loop_p) Lelem(li2);
li2 = Lnext(li2,*loops_p);
if (lp1 != lp2 && lp1->lp_entry == lp2->lp_entry) {
Ljoin(lp2->LP_BLOCKS,&lp1->LP_BLOCKS);
oldcflpx(lp2->lp_extend);