apr-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 59711] double free issue in apr_app.c and start.c on Windows
Date Wed, 15 Jun 2016 23:07:24 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=59711

--- Comment #4 from Stefan <luke1410@gmx.de> ---
Looking at the code in start.c(In reply to Stefan from comment #3)
> Looks like the provided initial patch only resolves half of the problem. The
> double free is resolved, but the testapp.exe still crashes / triggers an
> exception if _environ is replaced with some content.
> 
> The problem for this case is that the runtime uninitialize-handling for the
> _environ-variable iterates over the separate elements and frees each
> separate element. However, since the APR code allocates a single block with
> apr_malloc_dbg the entire allocated memory is freed upon the first call
> already. Trying to access the second element's pointer then triggers a
> runtime access due to the access violation.
> 
> Hence to make the code work with the new handling in the VS runtime, we
> would have to rewrite the allocation handling in apr_app.c/start.c. This
> would be quite a code change which would exceed the code changes
> suggested/pointed out in the proof-of-concept patch. Hence, IMO fixing the
> issue with the alternative appraoch is more reasonable (especially since a
> rewrite of the allocation handling would most likely require different
> versions based on the different VS versions).

Looking at the code in start.c suggests another approach, since there the
allocation of the separate environment blocks looks correct. That code was
added in 63011 at 02/18/2002 (also by wrowe). That makes me believe that the
code in apr_app.c doesn't need to differentiate between different VS versions.

Hence copying over the same code in start.c to apr_app.c might be a third
alternative to completely fix both issues (double free + incorrect memory
allocation).

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org


Mime
View raw message