find attached a patch by Martin Schlemmer to fix a double free in the fts_read
function
original bug report:
http://bugs.gentoo.org/show_bug.cgi?id=87490
explanation of issue:
http://bugs.gentoo.org/show_bug.cgi?id=87490#c8
patch (also attached):
http://bugs.gentoo.org/attachment.cgi?id=65200
-mike
Code in lib/fts.c looks like this:
-----
602 next: tmp = p;
603 if ((p = p->fts_link) != NULL) {
604 free(tmp);
605
606 /*
607 * If reached the top, return to the original directory (or
608 * the root of the tree), and load the paths for the next root.
609 */
610 if (p->fts_level == FTS_ROOTLEVEL) {
611 if (FCHDIR(sp, sp->fts_rfd)) {
612 SET(FTS_STOP);
613 return (NULL);
614 }
615 fts_load(sp, p);
616 if (p->fts_info == FTS_D)
617 ENTER_DIR (sp, p, "8");
618 return (sp->fts_cur = p);
619 }
----
Basically we free() set 'p = p->fts_link' on line 603, and then free the
old 'p' on line 604, but then if we fail to fchdir() on line 611, we do
not update 'sp->fts_cur' ... Thus update 'sp->fts_cur' before we return
NULL on line 613. (bug #87490)
--- coreutils-5.2.1/lib/fts.c
+++ coreutils-5.2.1/lib/fts.c
@@ -610,6 +610,7 @@
if (p->fts_level == FTS_ROOTLEVEL) {
if (FCHDIR(sp, sp->fts_rfd)) {
SET(FTS_STOP);
+ sp->fts_cur = p;
return (NULL);
}
fts_load(sp, p);
_______________________________________________
Bug-coreutils mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/bug-coreutils
