From owner-freebsd-bugs Wed Oct 2 14:40: 4 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC6AA37B401 for ; Wed, 2 Oct 2002 14:40:02 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E1AD43E81 for ; Wed, 2 Oct 2002 14:40:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g92Le1Co084758 for ; Wed, 2 Oct 2002 14:40:01 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g92Le1cj084756; Wed, 2 Oct 2002 14:40:01 -0700 (PDT) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 23E8337B404 for ; Wed, 2 Oct 2002 14:38:15 -0700 (PDT) Received: from gracie.lbl.gov (gracie.lbl.gov [131.243.2.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9AD0C43E42 for ; Wed, 2 Oct 2002 14:38:14 -0700 (PDT) (envelope-from jin@gracie.lbl.gov) Received: (from root@localhost) by gracie.lbl.gov (8.11.6/8.11.6) id g92Lc9526855; Wed, 2 Oct 2002 14:38:09 -0700 (PDT) (envelope-from jin) Message-Id: <200210022138.g92Lc9526855@gracie.lbl.gov> Date: Wed, 2 Oct 2002 14:38:09 -0700 (PDT) From: Jin Guojun (DSD staff) Reply-To: j_guojun@lbl.gov To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/43599: Balloc did not check mallocated pointer in libc/stdlib/strtod.c Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 43599 >Category: kern >Synopsis: Balloc did not check mallocated pointer in libc/stdlib/strtod.c >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Oct 02 14:40:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Jin Guojun (DSD staff) >Release: FreeBSD 4.x-RELEASE i386 >Organization: >Environment: 4.x-RELEASE /usr/src/lib/libc/stdlib/strtod.c >Description: Program terminated with signal 11, Segmentation fault. #0 0x80676ea in Balloc (k=1) at /usr/src/lib/libc/../libc/stdlib/strtod.c:387 (xxgdb) print rv $1 = (Bigint *) 0x0 (xxgdb) print x $2 = 2 (xxgdb) print sizeof(Bigint) $3 = 24 (xxgdb) print (x-1)*sizeof(long) $4 = 4 (xxgdb) print sizeof(Bigint) + (x-1)*sizeof(long) $5 = 28 static Bigint * Balloc #ifdef KR_headers (k) int k; #else (int k) #endif { int x; Bigint *rv; x = 1 << k; rv = (Bigint *)malloc(sizeof(Bigint) + (x-1)*sizeof(long)); *** rv->k = k; rv->maxwds = x; rv->sign = rv->wds = 0; return rv; } >How-To-Repeat: >Fix: Check the rv after malloc. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message