Date: Wed, 2 Oct 2002 14:38:09 -0700 (PDT) From: Jin Guojun (DSD staff) <jin@gracie.lbl.gov> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/43599: Balloc did not check mallocated pointer in libc/stdlib/strtod.c Message-ID: <200210022138.g92Lc9526855@gracie.lbl.gov>
next in thread | raw e-mail | index | archive | help
>Number: 43599
>Category: kern
>Synopsis: Balloc did not check mallocated pointer in libc/stdlib/strtod.c
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Oct 02 14:40:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Jin Guojun (DSD staff)
>Release: FreeBSD 4.x-RELEASE i386
>Organization:
>Environment:
4.x-RELEASE /usr/src/lib/libc/stdlib/strtod.c
>Description:
Program terminated with signal 11, Segmentation fault.
#0 0x80676ea in Balloc (k=1) at /usr/src/lib/libc/../libc/stdlib/strtod.c:387
(xxgdb) print rv
$1 = (Bigint *) 0x0
(xxgdb) print x
$2 = 2
(xxgdb) print sizeof(Bigint)
$3 = 24
(xxgdb) print (x-1)*sizeof(long)
$4 = 4
(xxgdb) print sizeof(Bigint) + (x-1)*sizeof(long)
$5 = 28
static Bigint *
Balloc
#ifdef KR_headers
(k) int k;
#else
(int k)
#endif
{
int x;
Bigint *rv;
x = 1 << k;
rv = (Bigint *)malloc(sizeof(Bigint) + (x-1)*sizeof(long));
*** rv->k = k;
rv->maxwds = x;
rv->sign = rv->wds = 0;
return rv;
}
>How-To-Repeat:
>Fix:
Check the rv after malloc.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210022138.g92Lc9526855>