GNU bug report logs - #11787
Potential use after free bug in coreutils 8.17

Previous Next

Package: coreutils;

Reported by: "Xu Zhongxing" <xu_zhong_xing <at> 163.com>

Date: Tue, 26 Jun 2012 05:22:01 UTC

Severity: normal

Done: Pádraig Brady <P <at> draigBrady.com>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: "Xu Zhongxing" <xu_zhong_xing <at> 163.com>
To: bug-coreutils <at> gnu.org
Subject: Potential use after free bug in coreutils 8.17
Date: Tue, 26 Jun 2012 13:01:13 +0800 (CST)

[Message part 1 (text/plain, inline)]

In Coreutils 8.17, csplit.c, static bool load_buffer (void)

On line 503 and 511, b is passed to free_buffer() twice. This could lead to a use-after-free bug in free_buffer(): struct line *n = l->next;, where buf->line_start is freed in the first call of free_buffer().

- Xu Zhongxing

[Message part 2 (text/html, inline)]

This bug report was last modified 12 years and 331 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #11787 Potential use after free bug in coreutils 8.17

GNU bug report logs - #11787
Potential use after free bug in coreutils 8.17