pmachata pushed to ltrace (f20). "Fix memory errors when %%p is used in printf"
notifications at fedoraproject.org
notifications at fedoraproject.org
Thu Apr 16 11:40:53 UTC 2015
>From ce0735fffca4face574caa0fb824f56ab99324c7 Mon Sep 17 00:00:00 2001
From: Petr Machata <pmachata at redhat.com>
Date: Thu, 16 Apr 2015 13:40:06 +0200
Subject: Fix memory errors when %%p is used in printf
diff --git a/ltrace-0.7.2-static-free.patch b/ltrace-0.7.2-static-free.patch
new file mode 100644
index 0000000..a483a99
--- /dev/null
+++ b/ltrace-0.7.2-static-free.patch
@@ -0,0 +1,44 @@
+From cae76962c7e0ec6119952addb36d1cf8d19f5228 Mon Sep 17 00:00:00 2001
+From: Peter Wu <lekensteyn at gmail.com>
+Date: Thu, 26 Sep 2013 00:55:57 +0200
+Subject: [PATCH] Prevent freeing static-alloc'd memory for %p and %n in printf
+
+The following code caused ltrace 0.7.3-1 to crash on Arch Linux because
+an invalid pointer was passed to free():
+
+ printf("%p", &whatever);
+
+In printf.c, the elt_info pointer was always a statically allocated
+memory address from type_get_simple():
+
+115 if (format_type == ARGTYPE_ARRAY ||
+ format_type == ARGTYPE_POINTER)
+116 elt_info = type_get_simple(elt_type);
+
+Therefore, do not assert that the caller form_next_param owns the
+elt_info pointer.
+
+Originally reported at
+http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724253
+
+Signed-off-by: Peter Wu <lekensteyn at gmail.com>
+---
+ printf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/printf.c b/printf.c
+index 9051d71..52b212c 100644
+--- a/printf.c
++++ b/printf.c
+@@ -168,7 +168,7 @@ form_next_param(struct param_enum *self,
+ type_init_pointer(infop, array, 1);
+
+ } else if (format_type == ARGTYPE_POINTER) {
+- type_init_pointer(infop, elt_info, 1);
++ type_init_pointer(infop, elt_info, 0);
+
+ } else {
+ *infop = *type_get_simple(format_type);
+--
+2.1.0
+
diff --git a/ltrace.spec b/ltrace.spec
index 917048f..e5dbaf5 100644
--- a/ltrace.spec
+++ b/ltrace.spec
@@ -1,7 +1,7 @@
Summary: Tracks runtime library calls from dynamically linked executables
Name: ltrace
Version: 0.7.2
-Release: 9%{?dist}
+Release: 10%{?dist}
URL: http://ltrace.alioth.debian.org/
License: GPLv2+
Group: Development/Debuggers
@@ -33,6 +33,9 @@ Patch4: ltrace-0.7.2-rindex_NULL.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1064406
Patch5: ltrace-0.7.2-e_machine.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1212314
+Patch6: ltrace-0.7.2-static-free.patch
+
%description
Ltrace is a debugging program which runs a specified command until the
command exits. While the command is executing, ltrace intercepts and
@@ -51,6 +54,7 @@ execution of processes.
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
%build
autoreconf -i
@@ -76,6 +80,11 @@ echo ====================TESTING END=====================
%config(noreplace) %{_sysconfdir}/ltrace.conf
%changelog
+* Thu Apr 16 2015 Petr Machata <pmachata at redhat.com> - 0.7.2-10
+- Add an upstream patch that fixes memory errors when %%p is used in a
+ formatting string in printf-like calls.
+ (ltrace-0.7.2-static-free.patch)
+
* Thu Feb 13 2014 Petr Machata <pmachata at redhat.com> - 0.7.2-9
- Add an upstream patch that fixes missed initialization of some
fields in struct process after atteching to a multi-threaded
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/ltrace.git/commit/?h=f20&id=ce0735fffca4face574caa0fb824f56ab99324c7
More information about the scm-commits
mailing list