PSPP-BUG: [bug #32757] use-after-free with TEMPORARY in some procedures

[Ben Pfaff]

URL:
  <http://savannah.gnu.org/bugs/?32757>

                 Summary: use-after-free with TEMPORARY in some procedures
                 Project: PSPP
            Submitted by: blp
            Submitted on: Sat Mar 12 08:58:06 2011
                Category: Syntax Parser
                Severity: 5 - Average
                  Status: None
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
                 Release: None
                  Effort: 0.00

    _______________________________________________________

Details:

A recent commit explains the issue:


commit 12212dfd8afc14405274703b511c32d362ec0ab5
Author: Ben Pfaff <address@hidden>
Date:   Thu Mar 10 22:53:17 2011 -0800

    T-TEST: Fix use-after-free with TEMPORARY and independent samples.
    
    When TEMPORARY is in effect, proc_commit() destroys the temporary
    dictionary.  This means that any procedure that does not somehow disable
    temporary transformations and refers to a variable following
proc_commit()
    has a use-after-free error.
    
    T-TEST has two different bugs of this type.  First, the loop that
destroys
    group statistics refers to destroyed variables.  This commit fixes this
    problem by instead using variable aux data destructors to destroy group
    statistics.
    
    Second, when there is an independent variable, destroying its values
    requires knowing the variable's width.  This commit fixes this problem by
    destroying the values before calling proc_commit().
    
    The AUTORECODE, DESCRIPTIVES, RANK, and REGRESSION procedures appear to
    have similar issues (not fixed by this commit).
    
    Reported by Jeremy Lavergne <address@hidden>.





    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?32757>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/