[Ltrace-devel] [PATCH 3/4] Prevent freeing static-alloc'd memory for %p and %n in printf
Peter Wu
lekensteyn at gmail.com
Wed Sep 25 22:55:57 UTC 2013
The following code caused ltrace 0.7.3-1 to crash on Arch Linux because
an invalid pointer was passed to free():
printf("%p", &whatever);
In printf.c, the elt_info pointer was always a statically allocated
memory address from type_get_simple():
115 if (format_type == ARGTYPE_ARRAY ||
format_type == ARGTYPE_POINTER)
116 elt_info = type_get_simple(elt_type);
Therefore, do not assert that the caller form_next_param owns the
elt_info pointer.
Originally reported at
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724253
Signed-off-by: Peter Wu <lekensteyn at gmail.com>
---
printf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/printf.c b/printf.c
index 9051d71..52b212c 100644
--- a/printf.c
+++ b/printf.c
@@ -168,7 +168,7 @@ form_next_param(struct param_enum *self,
type_init_pointer(infop, array, 1);
} else if (format_type == ARGTYPE_POINTER) {
- type_init_pointer(infop, elt_info, 1);
+ type_init_pointer(infop, elt_info, 0);
} else {
*infop = *type_get_simple(format_type);
--
1.8.4
More information about the Ltrace-devel
mailing list