Fix bugs with memory allocation in ego.
cf/cf_loop.c and share/put.c tried to read the next pointer in an element of a linked list after freeing the element. ud/ud_copy.c tried to read beyond the end of the _defs_ array: it only has _nrexpldefs_ elements, not _nrdefs_ elements. These bugs caused core dumps on OpenBSD. Its malloc() put _defs_ near the end of a page, so reading beyond the end crossed into an unmapped page. Its free() wrote junk bytes and changed the next pointer to 0xdfdfdfdfdfdfdfdf.
This commit is contained in:
George Koehler
@@ -386,6 +386,7 @@ putunit(kind,p,l,gf,lf)
|
||||
register bblock_p b;
|
||||
register short n = 0;
|
||||
Lindex pi;
|
||||
bblock_p nextb;
|
||||
loop_p lp;
|
||||
|
||||
curoutp = gf;
|
||||
@@ -432,10 +433,12 @@ putunit(kind,p,l,gf,lf)
|
||||
* after it has been written, because there may be references
|
||||
* to it from other (later) blocks.
|
||||
*/
|
||||
for (b = p->p_start; b != (bblock_p) 0; b = b->b_next) {
|
||||
for (b = p->p_start; b != (bblock_p) 0; b = nextb) {
|
||||
Ldeleteset(b->b_loops);
|
||||
Ldeleteset(b->b_succ);
|
||||
Ldeleteset(b->b_pred);
|
||||
/* Must read b->b_next before releasing b */
|
||||
nextb = b->b_next;
|
||||
oldbblock(b);
|
||||
}
|
||||
/* Release the memory for the lmap, lbmap, bmap, lpmap tables */
|
||||
|
||||
Reference in New Issue
Block a user