From owner-freebsd-bugs Mon Jan 15 18:20:23 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0E05A37B69C for ; Mon, 15 Jan 2001 18:20:02 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f0G2K2q56458; Mon, 15 Jan 2001 18:20:02 -0800 (PST) (envelope-from gnats) Date: Mon, 15 Jan 2001 18:20:02 -0800 (PST) Message-Id: <200101160220.f0G2K2q56458@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Tor.Egge@fast.no Subject: Re: bin/15070: vfprintf/cvt/__dtoa race condition in threaded programs Reply-To: Tor.Egge@fast.no Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR bin/15070; it has been noted by GNATS. From: Tor.Egge@fast.no To: wollman@khavrinen.lcs.mit.edu Cc: freebsd-gnats-submit@FreeBSD.ORG Subject: Re: bin/15070: vfprintf/cvt/__dtoa race condition in threaded programs Date: Tue, 16 Jan 2001 03:11:04 +0100 This uncovered another old __dtoa() bug. *resultp = (char *) malloc(i); in the patch must be changed to *resultp = (char *) malloc(i + 1); in order to avoid writing beyond the end of the allocated memory. Otherwise the sample program #include #include int main(int argc,char **argv) { (void) malloc(4); printf("%.23e\n", 2.4); return 0; } linked with Electric Fence crashes on the i386 platform. - Tor Egge To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message