This is the mail archive of the newlib@sourceware.org mailing list for the newlib project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[PATH] Avoid double memory free if __sfvwrite_r() fails

From: "Aleksandr Platonov" <pam at oktetlabs dot ru>
To: newlib at sourceware dot org
Date: Tue, 20 Dec 2011 12:33:37 +0400
Subject: [PATH] Avoid double memory free if __sfvwrite_r() fails
Reply-to: newlib at sourceware dot org

Hi.
fclose() function frees memory area pointed to by fp->_bf._base if __SMBF
flag is set. But __sfvwrite_r() frees this memory area if _realloc_r()
fails (see fvwrite.c, line 159) and does not clear __SMBF flag, so this
memory area will be freed ones again at fclose() call.


Index: ./newlib/libc/stdio/fvwrite.c
===================================================================
RCS file: /cvs/src/src/newlib/libc/stdio/fvwrite.c,v
retrieving revision 1.15
diff -u -r1.15 fvwrite.c
--- ./newlib/libc/stdio/fvwrite.c	14 Jun 2011 03:56:05 -0000	1.15
+++ ./newlib/libc/stdio/fvwrite.c	20 Dec 2011 08:28:59 -0000
@@ -157,6 +157,7 @@
 			{
 			  /* Free buffer which is no longer used.  */
 			  _free_r (ptr, fp->_bf._base);
+			  fp->_flags &=  ~__SMBF;
 			  /* Ensure correct errno, even if free changed it.  */
 			  ptr->_errno = ENOMEM;
 			  goto err;

Follow-Ups:
- Re: [PATH] Avoid double memory free if __sfvwrite_r() fails
  - From: Corinna Vinschen

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]