Re: [Man-db-devel] mandb: double free or corruption

[Colin Watson]

On Mon, Oct 03, 2011 at 01:46:51PM +0200, Peter Schiffer wrote:
> I am sending quick-fix patch solving  double free or corruption
> crash in man-db.
> 
> This man page caused problem:
> 
> ult_src: File /usr/share/man/man8/dpm-srmv1.8.gz in mantree /usr/share/man
> ult_softlink: (/usr/lib64/dpm-mysql/dpm-srmv1.8.gz)
> "srmv1 - start the SRM v1 server"
> record = 'srmv1 - start the SRM v1 server'
> trace->names[0] = '/usr/share/man/man8/dpm-srmv1.8.gz'
> trace->names[1] = '/usr/lib64/dpm-mysql/dpm-srmv1.8.gz'
> mandb: warning: /usr/lib64/dpm-mysql/dpm-srmv1.8.gz: ignoring bogus filename
> 
> 
> When function filename_info is called from
> src/descriptions_store.c:95 with
> '/usr/lib64/dpm-mysql/dpm-srmv1.8.gz' as first param, it exits on
> src/filenames.c:140 because of bogus filename (info->sec is '-mysql'
> instead of 8), returns null and doesn't set trace_info.name.
> After that, trying to free trace_info.name in
> src/descriptions_store.c:119 is causing crash.
> 
> Patch is only hotfix, feel free to modify it or solve this issue
> anyway you wish.

Thanks for your analysis and patch.  I think it would be better to
change filename_info to ensure that all info fields are defined on exit,
either manually or by calling memset at the start; that way we're sure
to avoid this bug at all call sites, not just in store_descriptions.
Could you try that instead?

I would also appreciate a test case in src/tests/ exercising this bug,
if you can.

Thanks,

-- 
Colin Watson                                       address@hidden