diff options
author | Peter Wu <lekensteyn@gmail.com> | 2013-09-26 00:55:57 +0200 |
---|---|---|
committer | Petr Machata <pmachata@redhat.com> | 2013-09-26 13:43:36 +0200 |
commit | cae76962c7e0ec6119952addb36d1cf8d19f5228 (patch) | |
tree | 6b6cbf9d55dd6c970f5ee0468b886bea0b2405e9 | |
parent | 594ef6824f4b08adff9b67f1481030a81dbf3bf7 (diff) | |
download | ltrace-cae76962c7e0ec6119952addb36d1cf8d19f5228.tar.gz |
Prevent freeing static-alloc'd memory for %p and %n in printf
The following code caused ltrace 0.7.3-1 to crash on Arch Linux because
an invalid pointer was passed to free():
printf("%p", &whatever);
In printf.c, the elt_info pointer was always a statically allocated
memory address from type_get_simple():
115 if (format_type == ARGTYPE_ARRAY ||
format_type == ARGTYPE_POINTER)
116 elt_info = type_get_simple(elt_type);
Therefore, do not assert that the caller form_next_param owns the
elt_info pointer.
Originally reported at
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724253
Signed-off-by: Peter Wu <lekensteyn@gmail.com>
-rw-r--r-- | printf.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -168,7 +168,7 @@ form_next_param(struct param_enum *self, type_init_pointer(infop, array, 1); } else if (format_type == ARGTYPE_POINTER) { - type_init_pointer(infop, elt_info, 1); + type_init_pointer(infop, elt_info, 0); } else { *infop = *type_get_simple(format_type); |