[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PSPP-BUG: [bug #32757] use-after-free with TEMPORARY in some procedures

From: Ben Pfaff
Subject: PSPP-BUG: [bug #32757] use-after-free with TEMPORARY in some procedures
Date: Sat, 12 Mar 2011 16:58:08 +0000
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20110107 Iceweasel/3.5.16 (like Firefox/3.5.16)


                 Summary: use-after-free with TEMPORARY in some procedures
                 Project: PSPP
            Submitted by: blp
            Submitted on: Sat Mar 12 08:58:06 2011
                Category: Syntax Parser
                Severity: 5 - Average
                  Status: None
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
                 Release: None
                  Effort: 0.00



A recent commit explains the issue:

commit 12212dfd8afc14405274703b511c32d362ec0ab5
Author: Ben Pfaff <address@hidden>
Date:   Thu Mar 10 22:53:17 2011 -0800

    T-TEST: Fix use-after-free with TEMPORARY and independent samples.
    When TEMPORARY is in effect, proc_commit() destroys the temporary
    dictionary.  This means that any procedure that does not somehow disable
    temporary transformations and refers to a variable following
    has a use-after-free error.
    T-TEST has two different bugs of this type.  First, the loop that
    group statistics refers to destroyed variables.  This commit fixes this
    problem by instead using variable aux data destructors to destroy group
    Second, when there is an independent variable, destroying its values
    requires knowing the variable's width.  This commit fixes this problem by
    destroying the values before calling proc_commit().
    The AUTORECODE, DESCRIPTIVES, RANK, and REGRESSION procedures appear to
    have similar issues (not fixed by this commit).
    Reported by Jeremy Lavergne <address@hidden>.


Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]