gawk: invalid free in str2wstr()

bug-gnu-utils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

gawk: invalid free in str2wstr()

From:	Dmitry V. Levin
Subject:	gawk: invalid free in str2wstr()
Date:	Mon, 18 Dec 2006 18:22:57 +0300

Hi,

str2wstr() does free(n->wstptr) call if n->wstptr != NULL which is wrong:
"n->wstptr != NULL" does not yet mean that WSTRCUR is set and
n->wstptr is valid malloc'ed pointer.

This may lead to invalid free, and this invalid free is reproducable
(originally reported by Nikolay Fetisov in
https://bugzilla.altlinux.org/show_bug.cgi?id=9785):
$ cat in
FOO=BAR

##
#This_is_a_comment
#This_is_a_comment
$ env -i LANG=ru_RU.UTF-8 gawk '{ print match ($1,"^ *(#|$)") }' in
0
1
1
1
*** glibc detected *** gawk: double free or corruption (fasttop): 0x08099840 ***
======= Backtrace: =========
/lib/libc.so.6[0xb7ebb159]
/lib/libc.so.6(cfree+0x7e)[0xb7ebc6b0]
gawk(str2wstr+0x30)[0x806ee6d]
[...]

Proposed fix is attached.


-- 
ldv

gawk-3.1.5-alt-str2wstr.diff
Description: Text document

pgpQl2gl1igR2.pgp
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

gawk: invalid free in str2wstr(), Dmitry V. Levin <=

Prev by Date: gawk: do_match() invalid read
Next by Date: Re: gawk: free_wstr() invalid write
Previous by thread: gawk: do_match() invalid read
Next by thread: Whats wrong with 'sets in grep'
Index(es):
- Date
- Thread