The fhandler_base_overlapped::copyto clears atomic_write_buf on the clone, but none of the derived classes were doing this. This allowed the destructor to double-free the buffer and corrupt cygheap. Clear atomic_write_buf in copyto of all derived classes. --- winsup/cygwin/fhandler.h | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/winsup/cygwin/fhandler.h b/winsup/cygwin/fhandler.h index 2cc99d713..9e63867ab 100644 --- a/winsup/cygwin/fhandler.h +++ b/winsup/cygwin/fhandler.h @@ -1216,6 +1216,7 @@ public: { x->pc.free_strings (); *reinterpret_cast<fhandler_pipe *> (x) = *this; + reinterpret_cast<fhandler_pipe *> (x)->atomic_write_buf = NULL; x->reset (this); } @@ -1256,6 +1257,7 @@ public: { x->pc.free_strings (); *reinterpret_cast<fhandler_fifo *> (x) = *this; + reinterpret_cast<fhandler_fifo *> (x)->atomic_write_buf = NULL; x->reset (this); } -- 2.19.1