godzil/ack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix bugs with memory allocation in ego.

Browse Source 
cf/cf_loop.c and share/put.c tried to read the next pointer in an
element of a linked list after freeing the element.  ud/ud_copy.c
tried to read beyond the end of the _defs_ array: it only has
_nrexpldefs_ elements, not _nrdefs_ elements.

These bugs caused core dumps on OpenBSD.  Its malloc() put _defs_ near
the end of a page, so reading beyond the end crossed into an unmapped
page.  Its free() wrote junk bytes and changed the next pointer to
0xdfdfdfdfdfdfdfdf.
This commit is contained in:
George Koehler
2016-09-09 23:37:43 -04:00
parent 8c94b1316c
commit b1d1b5e1f8
3 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
util/ego/ud/ud_copy.c
View File

@@ -59,7 +59,7 @@ STATIC traverse_defs(p,action)
def_to_copynr = newtable(nrdefs);
cnt = 1;
}
if (defcnt > nrdefs) return;
if (defcnt > nrexpldefs) return;
for (b = p->p_start; b != (bblock_p) 0; b = b->b_next) {
for (l = b->b_start; l != (line_p) 0; l = l->l_next) {
if (defs[defcnt] == l) {
@@ -75,7 +75,7 @@ STATIC traverse_defs(p,action)
}
}
}
if (++defcnt > nrdefs) return;
if (++defcnt > nrexpldefs) return;
}
}
}