* [9fans] fossil memory corruption
@ 2014-04-03 3:33 erik quanstrom
2014-04-03 3:39 ` erik quanstrom
0 siblings, 1 reply; 2+ messages in thread
From: erik quanstrom @ 2014-04-03 3:33 UTC (permalink / raw)
To: 9fans
small but potentially deadly ....
diff -c /n/dump/2014/0402/sys/src/cmd/fossil/9fsys.c 9fsys.c
/n/dump/2014/0402/sys/src/cmd/fossil/9fsys.c:34,40 - 9fsys.c:34,40
char* curfsys;
} sbox;
- static char *_argv0;
+ char *_argv0;
#define argv0 _argv0
static char FsysAll[] = "all";
diff -c /n/dump/2014/0402/sys/src/cmd/fossil/Ccli.c Ccli.c
/n/dump/2014/0402/sys/src/cmd/fossil/Ccli.c:33,38 - Ccli.c:33,40
return 0;
}
+ extern char *_argv0;
+
int
cliExec(char* buf)
{
/n/dump/2014/0402/sys/src/cmd/fossil/Ccli.c:57,62 - Ccli.c:59,65
vtUnlock(cbox.lock);
if(!(r = cbox.cmd[i].cmd(argc, argv)))
consPrint("%s\n", vtGetError());
+ _argv0 = nil; /* evade defn of ARGBEGIN */
vtMemFree(p);
return r;
}
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [9fans] fossil memory corruption
2014-04-03 3:33 [9fans] fossil memory corruption erik quanstrom
@ 2014-04-03 3:39 ` erik quanstrom
0 siblings, 0 replies; 2+ messages in thread
From: erik quanstrom @ 2014-04-03 3:39 UTC (permalink / raw)
To: 9fans
i should explain further, since this is sneaky. since we're calling
ARGBEGIN lots of times, we hit a special case. the defn is
#define ARGBEGIN for((argv0||(argv0=*argv)),argv++,argc--;\
a subsequent call to ARGBEGIN will not reset argv0, and worse, argv0
can be pointing to bogus memory.
- erik
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-04-03 3:39 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-04-03 3:33 [9fans] fossil memory corruption erik quanstrom
2014-04-03 3:39 ` erik quanstrom
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).