[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Nano-devel] bug caused by accessing freed memory
From: |
bort |
Subject: |
[Nano-devel] bug caused by accessing freed memory |
Date: |
Tue, 9 Mar 2004 16:50:15 -0600 |
Line 881:winio.c answer = charealloc(answer, xend + 1);
Line 883:winio.c strcpy(answer, def);
The value of def is (was) the same as answer, before the realloc.
Unfortunately, if the realloc had to move the memory block, def is pointing at
an invalid block of memory. One way to provoke this error is to set the
environment variable MALLOC_OPTIONS on a freebsd machine to "J" which
initializes realloc/malloced memory to 0xd0.
The attached diff file will correct the issue (at least as far as I can tell),
it applies to nano 1.3.1 files.c only.
1726a1727,1728
> char* tmpanswer=charalloc(strlen(answer)+1);
> strcpy(tmpanswer,answer);
1728c1730
< i = statusq(1, writefile_list, answer, 0,
---
> i = statusq(1, writefile_list, tmpanswer, 0,
1731c1733
< i = statusq(1, writefile_list, answer, 0,
---
> i = statusq(1, writefile_list, tmpanswer, 0,
1734c1736
< i = statusq(1, writefile_list, answer, 0,
---
> i = statusq(1, writefile_list, tmpanswer, 0,
1735a1738
> free(tmpanswer);
1737a1741,1743
> {
> char* tmpanswer=charalloc(strlen(answer)+1);
> strcpy(tmpanswer,answer);
1739c1745
< i = statusq(1, writefile_list, answer,
---
> i = statusq(1, writefile_list, tmpanswer,
1742c1748
< i = statusq(1, writefile_list, answer,
---
> i = statusq(1, writefile_list, tmpanswer,
1745c1751
< i = statusq(1, writefile_list, answer,
---
> i = statusq(1, writefile_list, tmpanswer,
1746a1753,1754
> free(tmpanswer);
> }
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Nano-devel] bug caused by accessing freed memory,
bort <=