Date: Tue, 19 Dec 2000 08:00:09 -0800 (PST) From: Mark Peek <mark@whistle.com> To: freebsd-bugs@FreeBSD.org Subject: Re: misc/23521: NULL pointer write in vfprintf code Message-ID: <200012191600.eBJG09M43811@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR misc/23521; it has been noted by GNATS. From: Mark Peek <mark@whistle.com> To: freebsd-gnats-submit@FreeBSD.org, luddes@hotmail.com Cc: Subject: Re: misc/23521: NULL pointer write in vfprintf code Date: Tue, 19 Dec 2000 07:53:44 -0800 The bug is due to code in __grow_type_table() trashing the stack from calling memset() with the wrong address. The patch below should fix the problem. Note: it was interesting that the original vfprintf() code didn't crash when compiled with just "-g" but "-g -O" crashed it just fine. Mark Index: vfprintf.c =================================================================== RCS file: /cvs/freebsd/src/lib/libc/stdio/vfprintf.c,v retrieving revision 1.22 diff -u -r1.22 vfprintf.c --- vfprintf.c 1999/08/28 00:01:20 1.22 +++ vfprintf.c 2000/12/18 03:50:48 @@ -1191,7 +1191,7 @@ reallocf (typetable, sizeof (unsigned char) * newsize); } - memset (&typetable [*tablesize], T_UNUSED, (newsize - *tablesize)); + memset (*typetable + *tablesize, T_UNUSED, (newsize - *tablesize)); *tablesize = newsize; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012191600.eBJG09M43811>