[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#264884: globfree() double-frees

Package: libc6
Version: 2.3.2.ds1-13
Severity: serious
Tags: patch

Certain kinds of problems in glob() result in a GLOB_ABORTED return
value.  In these circumstances, the glob_t passed in is likely to
contain partial results (per POSIX), and thus, globfree() needs to be
called to prevent a memory leak.

Unfortunately, glob() itself calls globfree() under certain
circumstances.  Calling globfree() again (which is legal and in fact
mandated under POSIX) causes certain portions of the structure to be
double-freed.  Under many circumstances, this results in infinite loops
or SIGSEGV during the next malloc.

The best way to fix it is for globfree() to do housekeeping on the
glob_t it's freeing, by setting gl_pathc to 0 and gl_pathv to NULL. 
Then, when globfree() is called the second time, it knows to do
nothing.  A patch to that effect is attached (in debian/patches form).

(This is the same bug, basically, as 260767, except that the source of
the double-free I complained about has now been discovered.)

The severity is serious because this bug causes the LSB tests to hang,
specifically /tset/LSB.os/genuts/glob/T.glob 30.

Attachment: globfree-clear-pathc.dpatch
Description: application/shellscript

Reply to: