bug-gnu-utils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gawk: free_wstr() invalid write

From: Karel Zak
Subject: Re: gawk: free_wstr() invalid write
Date: Fri, 12 Jan 2007 11:05:47 +0100
User-agent: Mutt/1.5.11 
On Mon, Dec 18, 2006 at 06:27:52PM +0300, Dmitry V. Levin wrote:
> Hi,
> 
> free_wstr() zeroes wstptr and wstlen pointers even if WSTRCUR flag is not
> set, which is wrong and may lead to invalid write, similar to invalid free
> in str2wstr().
> 
> @@ -774,10 +774,10 @@ free_wstr(NODE *n)
>       if ((n->flags & WSTRCUR) != 0) {
>               assert(n->wstptr != NULL);
>               free(n->wstptr);
> +             n->wstptr = NULL;
> +             n->wstlen = 0;
> +             n->flags &= ~WSTRCUR;
>       }
> -     n->wstptr = NULL;
> -     n->wstlen = 0;
> -     n->flags &= ~WSTRCUR;
>  }

 If you want to use this patch you should check all places where is
 free_wstr(), because gawk has used this routine (also) for
 zeroization on some places. 
 
 See original 3.1.5 code -- there wasn't always "if (n->flags &
 WSTRCUR)" before n->wstptr = NULL. For example in unref(), or
 mk_number().

    Karel

-- 
 Karel Zak  <address@hidden>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]