Re: [Bug-wget] xfree() crashes on libidn memory

[Tim Ruehsen]

Hi Gisle,

good catch .

idn_encode() has the same issue.
It is used at url.c:894.

Could you amend your patch to also handle this case ?
I guess you have to add a flag to struct url that has to be checked when 
freeing 'host'.

Also - as Jérémie suggests - please set the pointers to NULL after freeing.

Regards, Tim

On Tuesday 10 February 2015 23:27:55 Gisle Vanem wrote:
> I got a crash in my MSVC-built Wget by "accidentally" mixing
> debug and release obj/libs in my build. (libidn in debug-mode
> and Wget in release-mode). So the memory returned from
> 'idn_decode()' in connect.c:
> 
>      if (opt.enable_iri && (name = idn_decode ((char *) print)) != NULL)
> ...
>      xfree (name);
> 
> triggered a crash; the CRT mem-block layouts are different in
> release and debug-modes. The important thing is that IDN should
> free it's own memory using idn_free(). This function has been in
> there since 2004!
> 
> Same problem in host.c too. Here is a patch:
> 
> --- a/connect.c       2015-02-05 15:31:22 +0000
> +++ b/connect.c    2015-02-05 15:33:27 +0000
> @@ -278,7 +278,7 @@
>                 str = xmalloc (len);
>                 snprintf (str, len, "%s (%s)", name, print);
>                 str[len-1] = '\0';
> -              xfree (name);
> +              idn_free (name);
>               }
> 
>             logprintf (LOG_VERBOSE, _("Connecting to %s|%s|:%d... "),
> 
> 
> --- a/host.c  2015-02-05 15:31:22 +0000
> +++ b/host.c       2015-02-03 01:57:33 +0000
> @@ -741,7 +741,7 @@
>             str = xmalloc (len);
>             snprintf (str, len, "%s (%s)", name, host);
>             str[len-1] = '\0';
> -          xfree (name);
> +          idn_free (name);
>           }
> 
>         logprintf (LOG_VERBOSE, _("Resolving %s... "),
> 
> 
> ----------
> 
> This probably is alien stuff to you Unix folks. You have no
> release/debug-modes to take care of (?)

signature.asc
Description: This is a digitally signed message part.