Source: gnuplot Version: 5.2.6+dfsg1-1 Severity: important Hi,
After upgrading lindsay.d.o to buster, we see errors when trying to generate graphs of the tags. While trying to create a minimal reproducer I tripped a double free bug in gnuplot. The following steps were done to reproduce the issue: """ $ unzip test-files.zip $ cd test-files test-files$ gdb -args gnuplot call.gp [...] (gdb) run Starting program: /usr/bin/gnuplot call.gpi [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Plotting $tag statistics... "./tags.gpi" line 27: undefined variable: date_min free(): double free detected in tcache 2 Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007ffff78c6535 in __GI_abort () at abort.c:79 #2 0x00007ffff791d778 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7a2828d "%s\n") at ../sysdeps/posix/libc_fatal.c:181 #3 0x00007ffff7923e6a in malloc_printerr (str=str@entry=0x7ffff7a29f58 "free(): double free detected in tcache 2") at malloc.c:5341 #4 0x00007ffff792594d in _int_free (av=0x7ffff7a5fc40 <main_arena>, p=0x5555556eb250, have_lock=<optimized out>) at malloc.c:4193 #5 0x000055555558d71d in gpfree_string (a=0x5555556e9828) at .././../../src/eval.c:423 #6 0x000055555558dbcb in gpfree_string (a=<optimized out>) at .././../../src/eval.c:422 #7 gpfree_array (a=a@entry=0x5555556e9860) at .././../../src/eval.c:446 #8 0x00005555555be5a7 in lf_pop () at .././../../src/misc.c:515 #9 0x00005555555bebad in load_file_error () at .././../../src/misc.c:626 #10 0x000055555556e8e5 in main (argc=2, argv=0x7fffffffe178) at .././../../src/plot.c:555 (gdb) quit """ Note: The test files *are* invalid - the common.gpi file should define some variables but it does not (e.g. date_min). Nonetheless, gnuplot should not trip a double-free regardless of whether the input is valid or not. Relevant versions of gnuplot used for reproducing this: """ $ dpkg -l | grep gnuplot ii gnuplot-data 5.2.6+dfsg1-1 all Command-line driven interactive plotting program. Data-files ii gnuplot-nox 5.2.6+dfsg1-1 amd64 Command-line driven interactive plotting program. No-X package ii gnuplot-nox-dbgsym 5.2.6+dfsg1-1 amd64 debug symbols for gnuplot-nox """ Thanks, ~Niels
