[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
deref/use after free
|
From: |
john heasley |
|
Subject: |
deref/use after free |
|
Date: |
Fri, 21 Nov 2008 08:51:51 +0000 |
|
User-agent: |
Mutt/1.4.2.3i |
I have a home-grown curses application which dumps core within ncurses 5.7
when the window is repeatedly resized. The traceback is
#0 0xbb92ba9b in _malloc_prefork () from /usr/lib/libc.so.12
#1 0xbb92bd1b in free () from /usr/lib/libc.so.12
#2 0xbbba59f9 in wresize (win=0xbb72e440, ToLines=10, ToCols=91)
at ../ncurses/./base/wresize.c:203
#3 0xbbba4e38 in adjust_window (win=0xbb72e440, ToLines=11, ToCols=92,
stolen=0) at ../ncurses/./base/resizeterm.c:233
#4 0xbbba4eb0 in decrease_size (ToLines=11, ToCols=92, stolen=0)
at ../ncurses/./base/resizeterm.c:260
#5 0xbbba50c8 in resize_term (ToLines=11, ToCols=92)
at ../ncurses/./base/resizeterm.c:350
#6 0xbbba529d in resizeterm (ToLines=11, ToCols=92)
at ../ncurses/./base/resizeterm.c:418
#7 0xbbba9e0c in _nc_update_screensize (sp=0xbb71f800)
at ../ncurses/./tinfo/lib_setup.c:323
#8 0xbbb9506a in _nc_wgetch (win=0xbb72f3a0, result=0xbfbfe29c, use_meta=1)
at ../ncurses/./base/lib_getch.c:475
#9 0xbbb9543a in wgetch (win=0xbb72f3a0) at ../ncurses/./base/lib_getch.c:556
#10 0xbbbe5bcd in process_input () at worksheet.c:605
#11 0xbbbe6369 in worksheet_active (ws=0xbb729470) at worksheet.c:732
#12 0x08050326 in view_table (t=0xbb720800) at table.c:441
#13 0x0805072b in table_play (t=0xbb720800) at table.c:544
#14 0x080507dd in command_loop () at table.c:578
#15 0x08049b29 in main ()
which is here
198 for (row = ToLines + 1; row <= size_y; row++) {
199 free(win->_line[row].text);
200 }
201 } else {
202 for (row = 0; row <= size_y; row++) {
203 free(win->_line[row].text); <<<<<<
204 }
205 }
206 }
(gdb) p win->_line[row]
$2 = {text = 0xbb29cac0, firstchar = -1, lastchar = -1, oldindex = 0}
And another, displaying a new window after having played with window
resizing.
#0 0xbbb9e969 in wtouchln (win=0xbb72e680, y=0, n=21, changed=1)
at ../ncurses/./base/lib_touch.c:87
#1 0xbbbc9701 in hide_panel (pan=0xbb735df0) at ../panel/p_hide.c:53
#2 0xbbbe62fc in worksheet_display (ws=0xbb729380) at worksheet.c:714
#3 0xbbbe6358 in worksheet_active (ws=0xbb729380) at worksheet.c:728
#4 0x08050326 in view_table (t=0xbb720800) at table.c:441
#5 0x0805072b in table_play (t=0xbb720800) at table.c:544
#6 0x080507dd in command_loop () at table.c:578
#7 0x08049b29 in main () at netgeek.c:88
(gdb) print i
$3 = 0
(gdb) print *win
$5 = {_cury = 1, _curx = 1, _maxy = 20, _maxx = 20, _begy = 20, _begx = 0,
_flags = 1, _attrs = 20, _bkgd = 0, _notimeout = false, _clear = false,
_leaveok = false, _scroll = false, _idlok = false, _idcok = false,
_immed = false, _sync = false, _use_keypad = false, _delay = 32,
_line = 0x0, _regtop = 0, _regbottom = 0, _parx = 1023, _pary = -1150097696,
_parent = 0xbb285fa0, _pad = {_pad_y = -6528, _pad_x = -17550,
_pad_top = -27696, _pad_left = -17550, _pad_bottom = 0, _pad_right = 0},
_yoffset = 0}
84 for (i = y; i < y + n; i++) {
85 if (i > win->_maxy)
86 break;
87 win->_line[i].firstchar = changed ? 0 : _NOCHANGE;
88 win->_line[i].lastchar = changed ? win->_maxx : _NOCHANGE;
89 }
90 returnCode(OK);
91 }
Without resizing, there are no segfaults. I'm hoping that one of those
familiar with ncurses source will know where to look straight away. If
not, i'll spend the time to track it down.
cheers
- deref/use after free,
john heasley <=