From owner-freebsd-bugs  Tue Dec 19  8: 0:13 2000
From owner-freebsd-bugs@FreeBSD.ORG  Tue Dec 19 08:00:10 2000
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 0A3A637B404
	for <freebsd-bugs@hub.freebsd.org>; Tue, 19 Dec 2000 08:00:10 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id eBJG09M43811;
	Tue, 19 Dec 2000 08:00:09 -0800 (PST)
	(envelope-from gnats)
Date: Tue, 19 Dec 2000 08:00:09 -0800 (PST)
Message-Id: <200012191600.eBJG09M43811@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
Cc: 
From: Mark Peek <mark@whistle.com>
Subject: Re: misc/23521: NULL pointer write in vfprintf code
Reply-To: Mark Peek <mark@whistle.com>
Sender: gnats@FreeBSD.org
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

The following reply was made to PR misc/23521; it has been noted by GNATS.

From: Mark Peek <mark@whistle.com>
To: freebsd-gnats-submit@FreeBSD.org, luddes@hotmail.com
Cc:  
Subject: Re: misc/23521: NULL pointer write in vfprintf code
Date: Tue, 19 Dec 2000 07:53:44 -0800

 The bug is due to code in __grow_type_table() trashing the stack from
 calling memset() with the wrong address. The patch below should fix the
 problem.
 
 Note: it was interesting that the original vfprintf() code didn't crash
 when compiled with just "-g" but "-g -O" crashed it just fine.
 
 Mark
 
 
 Index: vfprintf.c
 ===================================================================
 RCS file: /cvs/freebsd/src/lib/libc/stdio/vfprintf.c,v
 retrieving revision 1.22
 diff -u -r1.22 vfprintf.c
 --- vfprintf.c	1999/08/28 00:01:20	1.22
 +++ vfprintf.c	2000/12/18 03:50:48
 @@ -1191,7 +1191,7 @@
  		    reallocf (typetable, sizeof (unsigned char) * newsize);
 
  	}
 -	memset (&typetable [*tablesize], T_UNUSED, (newsize - *tablesize));
 +	memset (*typetable + *tablesize, T_UNUSED, (newsize - *tablesize));
 
  	*tablesize = newsize;
  }
 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message