[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: heap use after free in find_node_separator()
|
From: |
Gavin Smith |
|
Subject: |
Re: heap use after free in find_node_separator() |
|
Date: |
Mon, 23 Jan 2017 19:49:10 +0000 |
On 22 January 2017 at 12:33, Hanno Böck <address@hidden> wrote:
> The attached file will cause a heap use after free bug int he function
> find_node_separator().
>
> Stack trace from address sanitizer:
>
> ==13898==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x60400000dd52 at pc 0x0000005523ec bp 0x7ffc983fad30 sp 0x7ffc983fad28
> READ of size 1 at 0x60400000dd52 thread T0
> #0 0x5523eb in find_node_separator /f/texinfo/trunk/info/search.c:473:11
> #1 0x5523eb in find_node_in_binding /f/texinfo/trunk/info/search.c:591
> #2 0x54d674 in adjust_nodestart /f/texinfo/trunk/info/nodes.c:1198:18
> #3 0x54b8af in find_node_from_tag /f/texinfo/trunk/info/nodes.c:1238:15
> #4 0x54b8af in info_node_of_tag_ext /f/texinfo/trunk/info/nodes.c:1411
> #5 0x54ade9 in info_node_of_tag /f/texinfo/trunk/info/nodes.c:1490:10
> #6 0x54ade9 in info_get_node_of_file_buffer
> /f/texinfo/trunk/info/nodes.c:1114
> #7 0x54a5f3 in info_get_node_with_defaults
> /f/texinfo/trunk/info/nodes.c:997:14
> #8 0x56dea2 in dump_node_to_stream /f/texinfo/trunk/info/session.c:3764:10
> #9 0x56db72 in dump_nodes_to_file /f/texinfo/trunk/info/session.c:3727:11
> #10 0x531e19 in main /f/texinfo/trunk/info/info.c:1073:7
> #11 0x7f8a26ac078f in __libc_start_main (/lib64/libc.so.6+0x2078f)
> #12 0x41a598 in _start (/old-ram1/texinfo/ginfo+0x41a598)
>
> 0x60400000dd52 is located 2 bytes inside of 47-byte region
> [0x60400000dd50,0x60400000dd7f)
> freed by thread T0 here:
I believe I've fixed this in SVN revision 7647. I believe it was not a
"use after free error". The fact that the pointer was into memory that
was previously free'd in your case was a coincidence.