GNU bug report logs -
#11787
Potential use after free bug in coreutils 8.17
Previous Next
Full log
Message #12 received at 11787-done <at> debbugs.gnu.org (full text, mbox):
On 06/26/2012 01:33 PM, Xu Zhongxing wrote:
> I would like to mention that this bug (and a previous one) was found by a static analysis tool called Canalyze developed by us.
I guessed that as you can see from the commit message below :)
> See http://lcs.ios.ac.cn/~xzx/
I'll include that URL since you imply it's fairly permanent.
cheers,
Pádraig.
>
> 于 2012/6/26 18:32, Pádraig Brady 写道:
>> On 06/26/2012 06:01 AM, Xu Zhongxing wrote:
>>> In Coreutils 8.17, csplit.c, static bool load_buffer (void)
>>>
>>> On line 503 and 511, b is passed to free_buffer() twice. This could lead to a use-after-free bug in free_buffer(): struct line *n = l->next;, where buf->line_start is freed in the first call of free_buffer().
>>>
>>> - Xu Zhongxing
>> I think this will address it.
>>
>> thanks!
>> Pádraig.
>>
>> commit 5958bb44c4d7cf3b69bb62955b3ece9d0715eb60
>> Author: Pádraig Brady<P <at> draigBrady.com>
>> Date: Tue Jun 26 11:13:45 2012 +0100
>>
>> maint: avoid a static analysis warning in csplit
>>
>> The Canalyze static code analyzer correctly surmised
>> that there is a use-after-free bug in free_buffer()
>> at the line "struct line *n = l->next", if that
>> function is called multiple times.
>>
>> This is not a runtime issue since a list of lines
>> will not be present in the !lines_found case.
This bug report was last modified 13 years and 3 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.