[Bug stdio/26214] New: printf_fp double free

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug stdio/26214] New: printf_fp double free

Sourceware - glibc-bugs mailing list
https://sourceware.org/bugzilla/show_bug.cgi?id=26214

            Bug ID: 26214
           Summary: printf_fp double free
           Product: glibc
           Version: 2.32
            Status: NEW
          Severity: normal
          Priority: P2
         Component: stdio
          Assignee: unassigned at sourceware dot org
          Reporter: jsm28 at gcc dot gnu.org
  Target Milestone: ---

__printf_fp_l has a double free bug in the case where it allocates memory with
malloc internally, then has an I/O error while outputting trailing padding and
tries to free that already-freed memory when the error occurs. The following
test reproduces that bug (with a segfault).

#include <stdio.h>
#include <stdlib.h>

int
main (void)
{
  FILE *fp;
  char buf[131072];
  if ((fp = fopen ("/dev/full", "w")) == NULL)
    exit (1);
  if (setvbuf (fp, buf, _IOFBF, sizeof buf) != 0)
    exit (2);
  fprintf (fp, "%-1000000.65536f", 1.0);
}

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug stdio/26214] printf_fp double free

Sourceware - glibc-bugs mailing list
https://sourceware.org/bugzilla/show_bug.cgi?id=26214

Joseph Myers <jsm28 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |2.32
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #1 from Joseph Myers <jsm28 at gcc dot gnu.org> ---
Fixed for 2.32.

commit ede56038e50235cd1ca7de3602c9491d3b84b49b
Author: Joseph Myers <[hidden email]>
Date:   Thu Jul 9 21:51:49 2020 +0000

    Fix double free in __printf_fp_l (bug 26214).

    __printf_fp_l has a double free bug in the case where it allocates
    memory with malloc internally, then has an I/O error while outputting
    trailing padding and tries to free that already-freed memory when the
    error occurs.  This patch fixes this by setting the relevant pointer
    to NULL after the first free (the only free of this pointer that isn't
    immediately followed by returning from the function).

    Tested for x86_64 and x86.

--
You are receiving this mail because:
You are on the CC list for the bug.