Package list unrtf / b104a6c
Fix Invalid read of size 4 in attr_get_param Willi Mann 6 years ago
2 changed file(s) with 38 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
0 From: Fabian Keil <fk@fabiankeil.de>
1 Date: Thu, 4 Dec 2014 18:15:29 +0100
2 Subject: attrstack_drop(): Properly drop the last stack element
3
4 Previously stack_of_stacks_top would point to free'd memory,
5 resulting in:
6
7 ==38960== Invalid read of size 4
8 ==38960== at 0x402853: attr_get_param (attr.c:355)
9 ==38960== by 0x40818A: word_print_core (convert.c:3412)
10 ==38960== by 0x406DBC: word_print (convert.c:3451)
11 ==38960== by 0x40CA27: main (main.c:267)
12 ==38960== Address 0x1e065e0 is 90,000 bytes inside a block of size 90,016 free'd
13 ==38960== at 0x1068498: free (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
14 ==38960== by 0x40CBD3: my_free (malloc.c:91)
15 ==38960== by 0x402E8C: attrstack_drop (attr.c:582)
16 ==38960== by 0x40812F: word_print_core (convert.c:3403)
17 ==38960== by 0x406DBC: word_print (convert.c:3451)
18 ==38960== by 0x40CA27: main (main.c:267)
19 ==38960==
20 ---
21 src/attr.c | 2 +-
22 1 file changed, 1 insertion(+), 1 deletion(-)
23
24 diff --git a/src/attr.c b/src/attr.c
25 index bc19b6c..2c2552b 100644
26 --- a/src/attr.c
27 +++ b/src/attr.c
28 @@ -571,7 +571,7 @@ attrstack_drop ()
29 while(prev_stack && prev_stack->next && prev_stack->next != stack)
30 prev_stack = prev_stack->next;
31
32 - if (prev_stack) {
33 + if (prev_stack && (prev_stack != stack_of_stacks_top)) {
34 stack_of_stacks_top = prev_stack;
35 prev_stack->next = NULL;
36 } else {
00 0001-check-that-accesses-to-color-table-stay-within-bound.patch
11 0002-Need-to-process-word-chars-as-unsigned.-Else-char-wi.patch
22 0003-Fix-a-number-of-possible-crashes-caused-by-a-bad-for.patch
3 0004-attrstack_drop-Properly-drop-the-last-stack-element.patch