[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

set_field_buffer memory problems

From: Mike Gran
Subject: set_field_buffer memory problems
Date: Fri, 5 Dec 2008 22:40:28 -0800 (PST)

I'm running an unpatched 5.7, and I'm having difficulty with a crash in 
set_field_buffer.  In the crash, glibc reports a double-free or corruption at 
the call to "free(widevalue)" in set_field_buffer() at frm_driver.c:4394

I have wide characters enabled (linked against formw_g).

I couldn't seem to make a small program that reliably reproduced the crash, 
but, I didn't make a small program that Valgrind flagged as bad.  Consider the 

int main()
  FIELD *f;

  f = new_field(1, 10, 0, 0, 0, 0);
  field_opts_off(f, O_STATIC);
  set_field_buffer(f, 0, "ABCDEFGHIJKLMNOPQRSTUVWXYZ");

  return 0;

Valgrind complains about this

==32214== Invalid write of size 4
==32214==    at 0x806512E: win_wchnstr (lib_in_wchnstr.c:67)
==32214==    by 0x80509DF: set_field_buffer (frm_driver.c:4380)
==32214==    by 0x8049768: main (f002_data.c:12)
==32214==  Address 0x41e5ee0 is 0 bytes after a block of size 648 alloc'd
==32214==    at 0x40218F9: calloc (vg_replace_malloc.c:397)
==32214==    by 0x805095B: set_field_buffer (frm_driver.c:4372)
==32214==    by 0x8049768: main (f002_data.c:12)

The problem might have something to do with this call in set_field_buffer() ...

4380              mvwin_wchnstr(field->working, i, 0,
4381                            widevalue + (i * field->dcols),
4382                            field->dcols);

... where widevalue has been allocated to a smaller size than field->dcols.  
There could be a write off then end of the widevalue array (?).


Mike Gran

reply via email to

[Prev in Thread] Current Thread [Next in Thread]