Discussion:
[PATCH 1] Fix segfault in config2help
(too old to reply)
Patrick Oppenlander
2017-09-21 05:48:22 UTC
Permalink
Raw Message
For some reason config2help started segfaulting on me.

As config2help searches for matches it holds on to a 'name' pointer which can be unexpectedly free'd.

============8<===============

commit f396a76e33f4524b3050ae033ab8c8b5d0b46ed5
Author: Patrick Oppenlander <***@gmail.com>
Date: Thu Sep 21 15:22:25 2017 +1000

fix segfault in config2help

'name' used to reference memory in catch->help->data which is later
released by free(tusage).

One 'name' is leaked on exit.

diff --git a/scripts/config2help.c b/scripts/config2help.c
index 575b7b8..d238939 100644
--- a/scripts/config2help.c
+++ b/scripts/config2help.c
@@ -262,7 +262,7 @@ int main(int argc, char *argv[])
// entry until we run out of matching pairs.
for (;;) {
struct symbol *throw = 0, *catch;
- char *this, *that, *cusage, *tusage, *name;
+ char *this, *that, *cusage, *tusage, *name = 0;
int len;

// find a usage: name and collate all enabled entries with that name
@@ -270,16 +270,18 @@ int main(int argc, char *argv[])
if (catch->enabled != 1) continue;
if (catch->help && (that = keyword("usage:", catch->help->data))) {
struct double_list *cfrom, *tfrom, *anchor;
- char *try, **cdashlines, **tdashlines;
+ char *try, **cdashlines, **tdashlines, *usage;
int clen, tlen;

// Align usage: lines, finding a matching pair so we can suck help
// text out of throw into catch, copying from this to that
- if (!throw) name = that;
+ if (!throw) usage = that;
else if (strncmp(name, that, len) || !isspace(that[len])) continue;
catch->enabled++;
while (!isspace(*that) && *that) that++;
- if (!throw) len = that-name;
+ if (!throw) len = that-usage;
+ free(name);
+ name = strndup(usage, len);
that = skip_spaces(that);
if (!throw) {
throw = catch;

Loading...