[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug gas/21939] Binutils-2.29 invalid free()
|
From: |
nickc at redhat dot com |
|
Subject: |
[Bug gas/21939] Binutils-2.29 invalid free() |
|
Date: |
Thu, 10 Aug 2017 10:04:57 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=21939
Nick Clifton <nickc at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
CC| |nickc at redhat dot com
--- Comment #1 from Nick Clifton <nickc at redhat dot com> ---
Hi Pierre,
Right - this was a fun one. The reason why qsort is triggering the abort
is because it is mapped onto the qsort_r function. This function allocates
its own region of memory to contain a copy of the pointer array that is
going to be sorted. Naturally when the sort is finished, the sorted array
is copied back over the real array, and the copy is freed.
The interesting thing here is that nothing has gone wrong in qsort_r. The
memory was corrupted much earlier, but the corruption is only detected when
qsort_r calls free(). If you compile the assembler with address sanitization
enabled then the memory corruption is detected where it actually occurs.
Now the bug itself is in the assembler's processing of mach-o indirect
symbols. The assembler creates an internal array to hold pointers to these
symbols, but the array is not big enough. Unfortunately I am not a mach-o
expert, so I do not know whether the array size computation is wrong, or
else the detection of indirect symbols is wrong. So as a workaround for
the problem I have updated to the code so that it allocates an array big
enough to hold every symbol. This is probably overkill, but it should be
safe.
I am currently running some local tests on the patch, and assuming that
everything is OK, I will check it in shortly.
Cheers
Nick
--
You are receiving this mail because:
You are on the CC list for the bug.