On Mon, Oct 03, 2011 at 01:46:51PM +0200, Peter Schiffer wrote:
I am sending quick-fix patch solving double free or corruption
crash in man-db.
This man page caused problem:
ult_src: File /usr/share/man/man8/dpm-srmv1.8.gz in mantree /usr/share/man
ult_softlink: (/usr/lib64/dpm-mysql/dpm-srmv1.8.gz)
"srmv1 - start the SRM v1 server"
record = 'srmv1 - start the SRM v1 server'
trace->names[0] = '/usr/share/man/man8/dpm-srmv1.8.gz'
trace->names[1] = '/usr/lib64/dpm-mysql/dpm-srmv1.8.gz'
mandb: warning: /usr/lib64/dpm-mysql/dpm-srmv1.8.gz: ignoring bogus filename
When function filename_info is called from
src/descriptions_store.c:95 with
'/usr/lib64/dpm-mysql/dpm-srmv1.8.gz' as first param, it exits on
src/filenames.c:140 because of bogus filename (info->sec is '-mysql'
instead of 8), returns null and doesn't set trace_info.name.
After that, trying to free trace_info.name in
src/descriptions_store.c:119 is causing crash.
Patch is only hotfix, feel free to modify it or solve this issue
anyway you wish.
Thanks for your analysis and patch. I think it would be better to
change filename_info to ensure that all info fields are defined on exit,
either manually or by calling memset at the start; that way we're sure
to avoid this bug at all call sites, not just in store_descriptions.
Could you try that instead?
I would also appreciate a test case in src/tests/ exercising this bug,
if you can.
Thanks,
man-db-2.6.0.2-double-free.patch