[exim-dev] [Bug 3144] New: exim_tinydb crashes due to invalid pointer

[Exim Bugzilla via Exim-dev]

https://bugs.exim.org/show_bug.cgi?id=3144

            Bug ID: 3144
           Summary: exim_tinydb crashes due to invalid pointer
           Product: Exim
           Version: 4.98
          Hardware: All
                OS: All
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Unfiled
          Assignee: unalloca...@exim.org
          Reporter: grob...@gentoo.org
                CC: exim-dev@lists.exim.org

% ./exim_tidydb "${PWD}" retry
Tidying Exim hints database
/var/tmp/portage/mail-mta/exim-4.98.2/work/exim-4.98.2/build-exim-gentoo/db/retry
free(): invalid pointer
Abort

% valgrind ./exim_tidydb "${PWD}" retry
==9815== Memcheck, a memory error detector
==9815== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
==9815== Using Valgrind-3.24.1.GIT and LibVEX; rerun with -h for copyright info
==9815== Command: ./exim_tidydb
/var/tmp/portage/mail-mta/exim-4.98.2/work/exim-4.98.2/build-exim-gentoo retry
==9815== 
Tidying Exim hints database
/var/tmp/portage/mail-mta/exim-4.98.2/work/exim-4.98.2/build-exim-gentoo/db/retry
==9815== Invalid free() / delete / delete[] / realloc()
==9815==    at 0x484A96F: free (vg_replace_malloc.c:989)
==9815==    by 0x10DFF6: internal_store_free (store.c:1223)
==9815==    by 0x10E035: store_free_3 (store.c:1230)
==9815==    by 0x10A8CC: exim_dbdelete_cursor (hintsdb.h:599)
==9815==    by 0x10B6B0: dbfn_scan (exim_dbutil.c:539)
==9815==    by 0x10BAC5: main (exim_dbutil.c:1226)
==9815==  Address 0x4ad1848 is 8 bytes before a block of size 16 alloc'd
==9815==    at 0x4847888: malloc (vg_replace_malloc.c:446)
==9815==    by 0x10A7FA: exim_dbcreate_cursor (hintsdb.h:575)
==9815==    by 0x10B63C: dbfn_scan (exim_dbutil.c:529)
==9815==    by 0x10BAC5: main (exim_dbutil.c:1226)
==9815== 
Tidying complete

Problem exists since 4.98, and seems to be caused by using store_free instead
of free.  Something like this patch fixes the issue for me:
% diff -u hintsdb.h{.orig,}
--- hintsdb.h.orig      2025-04-05 10:17:56.913410382 +0200
+++ hintsdb.h   2025-04-05 10:18:30.472218211 +0200
@@ -596,7 +596,11 @@
 /* EXIM_DBDELETE_CURSOR - terminate scanning operation. */
 static inline void
 exim_dbdelete_cursor(EXIM_CURSOR * cursor)
+# ifdef COMPILE_UTILITY
+{ free(cursor); }
+# else
 { store_free(cursor); }
+# endif

 /* EXIM_DBCLOSE */
 static inline void

Thanks

-- 
You are receiving this mail because:
You are on the CC list for the bug.

-- 
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
##   exim-dev-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/