Anonymous | Login | 2022-06-26 02:34 UTC | ![]() |
My View | View Issues | Change Log | Roadmap |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0000789 | OMNeT++ | simulation kernel | public | 2014-11-25 18:43 | 2014-11-28 09:42 | ||||
Reporter | rfpb | ||||||||
Assigned To | andras | ||||||||
Priority | normal | Severity | crash | Reproducibility | always | ||||
Status | resolved | Resolution | fixed | ||||||
Platform | x86_64 | OS | GNU/Linux | OS Version | ? | ||||
Product Version | 4.5 | ||||||||
Target Version | 4.6 | Fixed in Version | 4.6 | ||||||
Summary | 0000789: Bug in inifilereader.cc -- malloc(): memory corruption (fast) | ||||||||
Description | There is a bug in the ini parser that leads to writing to memory after being freed. The problem is the pointer "Section *currentSection" (in file src/envir/inifilereader.cc) that points to an element of the vector "std::vector<Section> sections". Upon insertion of a new element into a vector, reallocation may occur and all pointers to elements may be invalidated and need to be updated, see [1]. Thus the pointer "currentSection" needs to be updated every time elements are added to "sections". In most cases this is done correctly. But not if the ini file includes another ini file using the "include" command. If an ini file includes another ini file, the method "internalReadFile()" will recursively call itself. If the included ini file defines sections, they will be added to "sections", which invalidates pointers. The inner function "internalReadFile()" will update the pointer correctly. But when it terminates, the outer function "internalReadFile()" will continue using the old pointer "currentSection", which has become invalid. The attached patch provides a simple fix. It will save the name of the current section before doing the recursive call. After the call it will get the valid pointer for that section name. [1] http://www.cplusplus.com/reference/vector/vector/push_back/ [^] | ||||||||
Steps To Reproduce | This bug can be reproduced by including an ini file in the upper part of the main ini file. There should be plenty of statements after the "include" statement. The included ini should define multiple sections, i.e. entries like [Config FooBar]. In my case it was eight sections. | ||||||||
Additional Information | The bug will let the program crash like this: *** Error in `../src/Foo': malloc(): memory corruption (fast): 0x00007f516b1660e0 *** | ||||||||
Tags | No tags attached. | ||||||||
Attached Files | ![]() | ||||||||
![]() |
|
(0000948) andras (administrator) 2014-11-27 15:58 |
Thanks for the thorough bug report! Fixed by changing the code to use currentSectionIndex instead of a pointer. |
![]() |
|||
Date Modified | Username | Field | Change |
2014-11-25 18:43 | rfpb | New Issue | |
2014-11-25 18:43 | rfpb | File Added: inifile_fix.diff | |
2014-11-27 15:58 | andras | Note Added: 0000948 | |
2014-11-27 15:58 | andras | Status | new => resolved |
2014-11-27 15:58 | andras | Resolution | open => fixed |
2014-11-27 15:58 | andras | Assigned To | => andras |
2014-11-27 15:58 | andras | Target Version | => 4.6 |
2014-11-28 09:42 | andras | Fixed in Version | => 4.6 |
2015-10-12 09:28 | ammmar1988 | Issue cloned: 0000880 |
Copyright © 2000 - 2022 MantisBT Team |