[bug #62040] [troff] double-free crash provoked by HTML man(7) output

bug-groff

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #62040] [troff] double-free crash provoked by HTML man(7) output

From:	G. Branden Robinson
Subject:	[bug #62040] [troff] double-free crash provoked by HTML man(7) output
Date:	Sun, 15 May 2022 01:34:29 -0400 (EDT)

Follow-up Comment #9, bug #62040 (project groff):

Thanks for the follow-up, Bjarni.

I have a mitigation for this that I'll be pushing soon; by "mitigation", I
mean that the SEGV no longer happens.  This will enable the severity to be
lowered to "normal", or perhaps "minor".

I do not regard the problem as root-caused yet, and I'm not confident that
your explanation is a correct one.  Yes, any exiting Unix process gets all its
memory freed, but that's not a reason to be careless with memory.  When we're
done with heap-allocated memory, we should delete or free it.  A double free
is usually a bug.


commit ab0793f5cadb8dbcb84cb49d59bc31855fd8b5ac
Author:     G. Branden Robinson <g.branden.robinson@gmail.com>
AuthorDate: Sat May 14 23:32:14 2022 -0500
Commit:     G. Branden Robinson <g.branden.robinson@gmail.com>
CommitDate: Sat May 14 23:34:49 2022 -0500

    [grohtml]: Mitigate Savannah #62040.
    
    [grohtml]: Mitigate double-free problem exposed by malformed input.
    
    * src/roff/troff/mtsm.h (struct statem): Place member variable
      `issue_no` behind `DEBUGGING` preprocessor symbol, omitting it
      from production and ordinary development builds.
    
    * src/roff/troff/mtsm.cpp (no_of_statems): Place global variable
      behind `DEBUGGING` preprocessor symbol, omitting it from production
      and ordinary development builds.
    
      (statem::statem): Make constructor trivial if `DEBUGGING` not defined
      in preprocessor; it manipulates only `issue_no` and `no_of_statems`,
      which are synchronized.
    
      (statem::statem {copy}): Gate assignment of `issue_no` member variable
      from copy constructor behind `DEBUGGING` preprocessor symbol.
    
      (statem::flush, mtsm::inherit): Gate debugging output, already
      runtime-gated on `debug_state` symbol, of `issue_no` member variable,
      so that we don't reference it when it is not declared.
    
    See <https://savannah.gnu.org/bugs/?62040>.



    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?62040>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[bug #62040] [troff] double-free crash provoked by HTML man(7) output, G. Branden Robinson, 2022/05/14
- [bug #62040] [troff] double-free crash provoked by HTML man(7) output, Bjarni Ingi Gislason, 2022/05/15
  - [bug #62040] [troff] double-free crash provoked by HTML man(7) output, Bjarni Ingi Gislason, 2022/05/15
    - [bug #62040] [troff] double-free crash provoked by HTML man(7) output, G. Branden Robinson <=
    - [bug #62040] [troff] audit mtsm/statem memory usage, G. Branden Robinson, 2022/05/15

Prev by Date: [bug #62040] [troff] double-free crash provoked by HTML man(7) output
Next by Date: [bug #62040] [troff] audit mtsm/statem memory usage
Previous by thread: [bug #62040] [troff] double-free crash provoked by HTML man(7) output
Next by thread: [bug #62040] [troff] audit mtsm/statem memory usage
Index(es):
- Date
- Thread