bug-gawk
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-gawk] Variable double free bug.


From: ruyk
Subject: [bug-gawk] Variable double free bug.
Date: Thu, 14 Jan 2016 02:43:06 +0300
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1

Hello.

I notice that scince this commit 566df675d8a6bb0c632231abe2e7573ce9f9541d
gawk can terminate ubnormally on some sort of scripts.

For example:

---
#!/usr/bin/gawk -f
BEGIN {

    for (i = 0; i < 100; i++)
        func_exec()
}

function func_exec(opaque)
{
    func_a(1, opaque)    #set additional argument, not expected by fname
}

function func_a(a,    b, loc1, loc2)
{
    b = 0            #unref Nnull_string
}
---

when we try to run it, we get:
---
gawk: ./main.awk:10: fatal error: internal error: segfault
Aborted
---

This happens because before ``b = 0`` line (opcode Op_store_var) *b* have type is Node_array_ref, and inside eval.c:r_get_lhs we set n->orig_array->var_value to Nnull_string, and after *func_a* execution gawk do superfluous Nnull_string reference decrement.

This patch fixes problem (don't know is it good enough)
---
$ git diff --patch eval.c
diff --git a/eval.c b/eval.c
index cf4de1f..948b1e2 100644
--- a/eval.c
+++ b/eval.c
@@ -1155,7 +1155,7 @@ r_get_lhs(NODE *n, bool reference)
                if (n->orig_array->type == Node_var_array)
fatal(_("attempt to use array `%s' in a scalar context"),
                                        array_vname(n));
-               if (n->orig_array->type != Node_var) {
+ if (n->orig_array->type != Node_var && n->orig_array->type != Node_var_new) {
                        n->orig_array->type = Node_var;
                        n->orig_array->var_value = Nnull_string;
                }
---

Best regards,

Boris



reply via email to

[Prev in Thread] Current Thread [Next in Thread]