[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Man-db-devel] mandb: double free or corruption
From: |
Colin Watson |
Subject: |
Re: [Man-db-devel] mandb: double free or corruption |
Date: |
Mon, 3 Oct 2011 13:26:39 +0100 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Mon, Oct 03, 2011 at 01:46:51PM +0200, Peter Schiffer wrote:
> I am sending quick-fix patch solving double free or corruption
> crash in man-db.
>
> This man page caused problem:
>
> ult_src: File /usr/share/man/man8/dpm-srmv1.8.gz in mantree /usr/share/man
> ult_softlink: (/usr/lib64/dpm-mysql/dpm-srmv1.8.gz)
> "srmv1 - start the SRM v1 server"
> record = 'srmv1 - start the SRM v1 server'
> trace->names[0] = '/usr/share/man/man8/dpm-srmv1.8.gz'
> trace->names[1] = '/usr/lib64/dpm-mysql/dpm-srmv1.8.gz'
> mandb: warning: /usr/lib64/dpm-mysql/dpm-srmv1.8.gz: ignoring bogus filename
>
>
> When function filename_info is called from
> src/descriptions_store.c:95 with
> '/usr/lib64/dpm-mysql/dpm-srmv1.8.gz' as first param, it exits on
> src/filenames.c:140 because of bogus filename (info->sec is '-mysql'
> instead of 8), returns null and doesn't set trace_info.name.
> After that, trying to free trace_info.name in
> src/descriptions_store.c:119 is causing crash.
>
> Patch is only hotfix, feel free to modify it or solve this issue
> anyway you wish.
Thanks for your analysis and patch. I think it would be better to
change filename_info to ensure that all info fields are defined on exit,
either manually or by calling memset at the start; that way we're sure
to avoid this bug at all call sites, not just in store_descriptions.
Could you try that instead?
I would also appreciate a test case in src/tests/ exercising this bug,
if you can.
Thanks,
--
Colin Watson address@hidden