From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <tyan0@sourceware.org>
Received: by sourceware.org (Postfix, from userid 7868)
	id 4458D385842A; Wed,  2 Aug 2023 13:00:25 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4458D385842A
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1690981225;
	bh=8J0TFXN5GVPCkAT6jzMAmxEWFVsxf5JD/puoQggLIKs=;
	h=From:To:Subject:Date:From;
	b=wKk2vrvf2kAWnck8vYZlF8uiLgu5XJSl+7dh9M9Wa28oztpuF81iJSQ1u68Z2LG34
	 ycEcPq4CTW6dhJSfMuBgDFajphsZglvJcJKopRWRUa8F2aCLLLnEBfyV6Zd8rcipM1
	 fvfQc1PPdlYIj3opqeNzjvv31X7+XB8cWjW6AswE=
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
From: Takashi Yano <tyan0@sourceware.org>
To: cygwin-cvs@sourceware.org, newlib-cvs@sourceware.org
Subject: [newlib-cygwin] newlib: Fix memory leak regarding gdtoa-based _ldtoa_r().
X-Act-Checkin: newlib-cygwin
X-Git-Author: Takashi Yano <takashi.yano@nifty.ne.jp>
X-Git-Refname: refs/heads/master
X-Git-Oldrev: dedbbd74d0a8f3b7dfae6188321703a47bb8a2b3
X-Git-Newrev: 5ac83ea47a7acd704c2fb0dff1edb7f51f081e52
Message-Id: <20230802130025.4458D385842A@sourceware.org>
Date: Wed,  2 Aug 2023 13:00:25 +0000 (GMT)
List-Id: <newlib-cvs.sourceware.org>

https://sourceware.org/git/gitweb.cgi?p=3Dnewlib-cygwin.git;h=3D5ac83ea47a7=
acd704c2fb0dff1edb7f51f081e52

commit 5ac83ea47a7acd704c2fb0dff1edb7f51f081e52
Author: Takashi Yano <takashi.yano@nifty.ne.jp>
Date:   Wed Aug 2 14:31:53 2023 +0900

    newlib: Fix memory leak regarding gdtoa-based _ldtoa_r().
   =20
    After the commit a4705d387f78, printf() for floating-point values
    causes a memory leak. The legacy _ldtoa_r() assumed the char pointer
    returned will be free'ed by Bfree(). However, gdtoa-based _ldtoa_r()
    returns the pointer returned by gdtoa() which should be free'ed by
    freedtoa(). Due to this issue, the caller of _ldtoa_r() fails to free
    the allocated char buffer. This is the cause of the said memory leak.
    https://cygwin.com/pipermail/cygwin/2023-July/254054.html
   =20
    This patch makes rv_alloc()/freedtoa() allocate/free the buffer in
    a compatible way with legacy _ldtoa_r().
   =20
    Fixes: a4705d387f78 ("ldtoa: Import gdtoa from OpenBSD.")
    Reported-by: natan_b <natan_b@libero.it>
    Reviewed-by: Corinna Vinschen <corinna@vinschen.de>
    Signed-off-by: Takashi Yano <takashi.yano@nifty.ne.jp>

Diff:
---
 newlib/libc/stdlib/gdtoa-dmisc.c | 23 +++++++++++++----------
 newlib/libc/stdlib/gdtoa-ldtoa.c |  4 +---
 winsup/cygwin/release/3.4.8      |  3 +++
 3 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/newlib/libc/stdlib/gdtoa-dmisc.c b/newlib/libc/stdlib/gdtoa-dm=
isc.c
index 332023dae..f330f8ae7 100644
--- a/newlib/libc/stdlib/gdtoa-dmisc.c
+++ b/newlib/libc/stdlib/gdtoa-dmisc.c
@@ -46,26 +46,28 @@ rv_alloc(ptr, i) struct _reent *ptr, int i;
 rv_alloc(struct _reent *ptr, int i)
 #endif
 {
-	int j, k, *r;
+	int j;
+	char *r;
=20
+	/* Allocate buffer in a compatible way with legacy _ldtoa_r(). */
 	j =3D sizeof(ULong);
-	for(k =3D 0;
-		sizeof(Bigint) - sizeof(ULong) - sizeof(int) + j <=3D i;
-		j <<=3D 1)
-			k++;
-	r =3D (int*)Balloc(ptr, k);
+	for (_REENT_MP_RESULT_K (ptr) =3D 0;
+	     sizeof (Bigint) - sizeof (ULong) + j <=3D i; j <<=3D 1)
+		_REENT_MP_RESULT_K (ptr)++;
+	_REENT_MP_RESULT (ptr) =3D eBalloc (ptr, _REENT_MP_RESULT_K (ptr));
+	r =3D (char *) _REENT_MP_RESULT (ptr);
+
 	if (r =3D=3D NULL)
 		return (
 #ifndef MULTIPLE_THREADS
 		dtoa_result =3D
 #endif
 			NULL);
-	*r =3D k;
 	return
 #ifndef MULTIPLE_THREADS
 	dtoa_result =3D
 #endif
-		(char *)(r+1);
+		r;
 	}
=20
  char *
@@ -100,8 +102,9 @@ freedtoa(ptr, s) struct _reent *ptr, char *s;
 freedtoa(struct _reent *ptr, char *s)
 #endif
 {
-	Bigint *b =3D (Bigint *)((int *)s - 1);
-	b->_maxwds =3D 1 << (b->_k =3D *(int*)b);
+	/* Free buffer allocated in a compatible way with legacy _ldtoa_r(). */
+	Bigint *b =3D (Bigint *)s;
+	b->_maxwds =3D 1 << (b->_k =3D _REENT_MP_RESULT_K (ptr));
 	Bfree(ptr, b);
 #ifndef MULTIPLE_THREADS
 	if (s =3D=3D dtoa_result)
diff --git a/newlib/libc/stdlib/gdtoa-ldtoa.c b/newlib/libc/stdlib/gdtoa-ld=
toa.c
index 14b99042c..09ba6b34b 100644
--- a/newlib/libc/stdlib/gdtoa-ldtoa.c
+++ b/newlib/libc/stdlib/gdtoa-ldtoa.c
@@ -72,9 +72,7 @@ _ldtoa_r(struct _reent *ptr,
=20
 	/* reentrancy addition to use mprec storage pool */
 	if (_REENT_MP_RESULT (ptr)) {
-		_REENT_MP_RESULT (ptr)->_k =3D _REENT_MP_RESULT_K (ptr);
-		_REENT_MP_RESULT (ptr)->_maxwds =3D 1 << _REENT_MP_RESULT_K (ptr);
-		Bfree (ptr, _REENT_MP_RESULT (ptr));
+		freedtoa (ptr, _REENT_MP_RESULT (ptr));
 		_REENT_MP_RESULT (ptr) =3D 0;
 	}
=20
diff --git a/winsup/cygwin/release/3.4.8 b/winsup/cygwin/release/3.4.8
index d37272eef..448831c65 100644
--- a/winsup/cygwin/release/3.4.8
+++ b/winsup/cygwin/release/3.4.8
@@ -14,3 +14,6 @@ Bug Fixes
 - Rename internal macros _NL_CTYPE_OUTDIGITSx_MB/WC to GLibc compatible
   _NL_CTYPE_OUTDIGITx_MB/WC.
   Addresses: https://cygwin.com/pipermail/cygwin-developers/2023-July/0126=
37.html
+
+- Fix memory leak in printf() regarding gdtoa-based _ldtoa_r().
+  Addresses: https://cygwin.com/pipermail/cygwin/2023-July/254054.html