Hi,
In file read.c, the function multi_glob() has #ifndef NO_ARCHIVES code
which I believe has a bug.
Once you enter the large encompassing for loop memname get sets to
either NULL or non-NULL (due to a malloc). Then, entering case 0, i gets
set to gl.gl_patchc, and a while loop churns over i until it reaches 0.
During this churning, memname is checked to be non-NULL, if so, then its
derefernced, otherwise, it is not. However, during this while loop,
memname is unconditionally free'd. As far as I can tell, if i > 1, then
this will dereference free'd memory.
I believe this is a bug, although I might be missing some magic
somewhere. Regardless, below is a patch which addresses this ""use after
free" issue, which was found by Coverity. The solution is merely to set
memname to be NULL after the free, for lack of better understanding of
the purpose of this code.
Thanks,
Mike
---
--- make-3.81/read.c 2006-03-17 08:24:20.000000000 -0600
+++ make-3.81-diff/read.c 2006-04-26 10:06:31.605388240 -0500
@@ -3104,6 +3104,7 @@
}
free (memname);
+ memname = 0;
}
else
#endif /* !NO_ARCHIVES */
_______________________________________________
Bug-make mailing list
Bug-make@gnu.org
http://lists.gnu.org/mailman/listinfo/bug-make
