Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use-after-free in comps_objmrtree_unite function #41

Closed
ret2libc opened this issue Jan 21, 2019 · 0 comments
Closed

use-after-free in comps_objmrtree_unite function #41

ret2libc opened this issue Jan 21, 2019 · 0 comments

Comments

@ret2libc
Copy link

pair is freed in

but it is accessed again at the next iteration at
pair->added = 0;
, accessing memory that was just recently freed.

Valgrind output:

==12199== Invalid write of size 1
==12199==    at 0x48995CF: comps_objmrtree_unite (comps_objmradix.c:306)
==12199==    by 0x4012F8: main (test2.c:35)
==12199==  Address 0x4ff30e0 is 16 bytes inside a block of size 24 free'd
==12199==    at 0x4839A0C: free (vg_replace_malloc.c:540)
==12199==    by 0x489974B: comps_objmrtree_unite (comps_objmradix.c:347)
==12199==    by 0x4012F8: main (test2.c:35)
==12199==  Block was alloc'd at
==12199==    at 0x483880B: malloc (vg_replace_malloc.c:309)
==12199==    by 0x48995E9: comps_objmrtree_unite (comps_objmradix.c:308)
==12199==    by 0x4012F8: main (test2.c:35)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant