Re: gawk: free_wstr() invalid write

[Aharon Robbins]

Greetings. I am working my way through backed up email.  Now that I look
at your note again, you may be right.

free_wstr should only be called on a node of type string, and the
wstptr and wstlen members don't overlap with the regular string values
or anything else of importance, so assigning to them outside the `if'
should be OK.

Nonetheless, I will apply your patch, to be on the safe side.

Thanks,

Arnold

> Date: Mon, 18 Dec 2006 18:27:52 +0300
> From: "Dmitry V. Levin" <address@hidden>
> Subject: gawk: free_wstr() invalid write
> To: address@hidden
>
> Hi,
>
> free_wstr() zeroes wstptr and wstlen pointers even if WSTRCUR flag is not
> set, which is wrong and may lead to invalid write, similar to invalid free
> in str2wstr().
>
> Proposed fix is attached.
>
>
> --
> ldv
>
> --DIOMP1UsTsWJauNi
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: attachment; filename="gawk-3.1.5-alt-free_wstr.diff"
> Content-Transfer-Encoding: quoted-printable
>
> 2006-12-18  Dmitry V. Levin <address@hidden>
>
>       * node.c (free_wstr): Zero wstptr and wstlen only if WSTRCUR
>       flag is set.
>
> Index: node.c
> ===================================================================
> RCS file: /sources/gawk/gawk-stable/node.c,v
> retrieving revision 1.2
> diff -u -p -r1.2 node.c
> --- node.c    11 Aug 2006 12:49:40 -0000      1.2
> +++ node.c    18 Dec 2006 14:56:56 -0000
> @@ -774,10 +774,10 @@ free_wstr(NODE *n)
>       if ((n->flags & WSTRCUR) != 0) {
>               assert(n->wstptr != NULL);
>               free(n->wstptr);
> +             n->wstptr = NULL;
> +             n->wstlen = 0;
> +             n->flags &= ~WSTRCUR;
>       }
> -     n->wstptr = NULL;
> -     n->wstlen = 0;
> -     n->flags &= ~WSTRCUR;
>  }
>  
>  #if 0