Fixes for arm64 / aarch64 #3
Conversation
| @@ -99,7 +99,6 @@ size_t _BDATA::grow( size_t new_real ) | |||
| if( data_buff != NULL ) | |||
| { | |||
| memcpy( new_buff, data_buff, data_real ); | |||
| delete [] data_buff; | |||
There was a problem hiding this comment.
The double free or corruption error occurs when memory is freed twice or when memory is freed that was not previously allocated. It seems that the data_buff pointer is being freed twice: once in the grow method and again in the ~_BDATA destructor.
To fix that we can just don't try to free the memory in the grow method.
There was a problem hiding this comment.
I think your changes would hide an already-existing use-after-free bug. If "data_buff" was already freed, and we just copied data out of it, then what the heck did we just copy?
I'm working on my own fix right now. The root cause in my test case (missing configuration data) appears to be in _CONFIG_MANAGER::file_vpn_load. When config.get_ispublic() is true, if sites_all isn't set, then it adds an empty string to the path. That alone isn't a problem, but then it goes to try to add a delimiter to "size-1", which causes an integer overflow. It doesn't appear ins was written to detect this edge case.
| @@ -405,7 +405,7 @@ bool _CONFIG_MANAGER::file_vpn_del( CONFIG & config ) | |||
|
|
|||
| bool read_line_pcf( FILE * fp, BDATA & name, BDATA & data ) | |||
| { | |||
| char next; | |||
| int next; | |||
There was a problem hiding this comment.
We should not compare unsigned chars to EOF (-1), so here the fix is to avoid casting the return value of fgetc, otherwise the config will not be loaded correctly (the casted value will be 255 instead of -1)
The exactly same problem happened here: https://bugs.webkit.org/show_bug.cgi?id=144439
|
Closing. First commit ( |
Fixes #2