Reading from uninitialized memory in ltdl.c's version of realloc...

libtool

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Reading from uninitialized memory in ltdl.c's version of realloc...

From:	Tom Epperly
Subject:	Reading from uninitialized memory in ltdl.c's version of realloc...
Date:	Mon, 19 Aug 2002 08:49:48 -0700
User-agent:	Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020615 Debian/1.0.0-3

The function, rpl_realloc, in ltdl.c will read past the end of theinitial allocated block when the size is increasing.


Some usage patterns can lead to a seg fault.  For example,

int main(int argc, char **argv)
{
 void *m1 = malloc(1000000);
 void *m2 = malloc(128);
 free(m1);
 rpl_realloc(m2, 1000000);
}

On a x86 GNU/Linux system running 2.4.18 and libc6 (based on DebianUnstable), I see the follow when running in gdb.


address@hidden/tmp/testcase]>gdb a.out
gdb: Symbol `emacs_ctlx_keymap' has different size in shared object, consider 
re-linking
GNU gdb 2002-04-01-cvs
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-linux"...
(gdb) run

Starting program: /tmp/testcase/a.out

Program received signal SIGSEGV, Segmentation fault.
0x4009cdc7 in memcpy () from /lib/libc.so.6
(gdb) up
#1  0x08048c34 in rpl_realloc (ptr=0x804e2d0, size=1000000) at ltdl.c:394
394               memcpy (mem, ptr, size);
(gdb) print mem
$1 = (void *) 0x40143008
(gdb) print ptr
$2 = (void *) 0x804e2d0
(gdb) up
#2  0x0804cd14 in main (argc=1, argv=0xbffffbc4) at ltdl.c:3976
3976      rpl_realloc(m2, 1000000);
(gdb) print m1
$3 = (void *) 0x40143008
(gdb) print m2
$4 = (void *) 0x804e2d0
(gdb) quit
A debugging session is active.
Do you still want to close the debugger?(y or n) y


Here is another example:

int main(int argc, char **argv)
{
 void *m1 = malloc(128);
 rpl_realloc(m1, 1000000);
}

address@hidden/tmp/testcase]>gdb ./a.out
gdb: Symbol `emacs_ctlx_keymap' has different size in shared object, consider 
re-linking
GNU gdb 2002-04-01-cvs
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-linux"...
(gdb) run

Starting program: /tmp/testcase/a.out

Program received signal SIGSEGV, Segmentation fault.
0x4009cdc7 in memcpy () from /lib/libc.so.6
(gdb) up
#1  0x08048c34 in rpl_realloc (ptr=0x804e2b0, size=1000000) at ltdl.c:394
394               memcpy (mem, ptr, size);
(gdb) print ptr
$1 = (void *) 0x804e2b0
(gdb) print mem
$2 = (void *) 0x40143008
(gdb) quit
A debugging session is active.
Do you still want to close the debugger?(y or n) y
address@hidden/tmp/testcase]>

[Prev in Thread]

Current Thread

[Next in Thread]

Reading from uninitialized memory in ltdl.c's version of realloc..., Tom Epperly <=
- Re: Reading from uninitialized memory in ltdl.c's version of realloc..., Tom Epperly, 2002/08/19

Prev by Date: Re: linking static libs into shared lib with libtool
Next by Date: Re: linking static libs into shared lib with libtool
Previous by thread: linking static libs into shared lib with libtool
Next by thread: Re: Reading from uninitialized memory in ltdl.c's version of realloc...
Index(es):
- Date
- Thread