public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug stdio/26214] New: printf_fp double free
@ 2020-07-07 22:53 jsm28 at gcc dot gnu.org
2020-07-09 21:53 ` [Bug stdio/26214] " jsm28 at gcc dot gnu.org
0 siblings, 1 reply; 2+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2020-07-07 22:53 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=26214
Bug ID: 26214
Summary: printf_fp double free
Product: glibc
Version: 2.32
Status: NEW
Severity: normal
Priority: P2
Component: stdio
Assignee: unassigned at sourceware dot org
Reporter: jsm28 at gcc dot gnu.org
Target Milestone: ---
__printf_fp_l has a double free bug in the case where it allocates memory with
malloc internally, then has an I/O error while outputting trailing padding and
tries to free that already-freed memory when the error occurs. The following
test reproduces that bug (with a segfault).
#include <stdio.h>
#include <stdlib.h>
int
main (void)
{
FILE *fp;
char buf[131072];
if ((fp = fopen ("/dev/full", "w")) == NULL)
exit (1);
if (setvbuf (fp, buf, _IOFBF, sizeof buf) != 0)
exit (2);
fprintf (fp, "%-1000000.65536f", 1.0);
}
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug stdio/26214] printf_fp double free
2020-07-07 22:53 [Bug stdio/26214] New: printf_fp double free jsm28 at gcc dot gnu.org
@ 2020-07-09 21:53 ` jsm28 at gcc dot gnu.org
0 siblings, 0 replies; 2+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2020-07-09 21:53 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=26214
Joseph Myers <jsm28 at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |2.32
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #1 from Joseph Myers <jsm28 at gcc dot gnu.org> ---
Fixed for 2.32.
commit ede56038e50235cd1ca7de3602c9491d3b84b49b
Author: Joseph Myers <joseph@codesourcery.com>
Date: Thu Jul 9 21:51:49 2020 +0000
Fix double free in __printf_fp_l (bug 26214).
__printf_fp_l has a double free bug in the case where it allocates
memory with malloc internally, then has an I/O error while outputting
trailing padding and tries to free that already-freed memory when the
error occurs. This patch fixes this by setting the relevant pointer
to NULL after the first free (the only free of this pointer that isn't
immediately followed by returning from the function).
Tested for x86_64 and x86.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-07-09 21:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-07 22:53 [Bug stdio/26214] New: printf_fp double free jsm28 at gcc dot gnu.org
2020-07-09 21:53 ` [Bug stdio/26214] " jsm28 at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).