From patchwork Thu Jul 9 18:07:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joseph Myers X-Patchwork-Id: 40004 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id E59813844047; Thu, 9 Jul 2020 18:07:24 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from esa4.mentor.iphmx.com (esa4.mentor.iphmx.com [68.232.137.252]) by sourceware.org (Postfix) with ESMTPS id A894D384402B for ; Thu, 9 Jul 2020 18:07:13 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org A894D384402B Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=codesourcery.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=joseph_myers@mentor.com IronPort-SDR: R2IlE8AuI5On7dJkB/4NWYSzVsOjJ4arv4WqEKiF58jvD3Tm8z0g5p5wYmDvjJ6w/Y8pxpn+nY 2FLJfef/j7Q02jNxMh4WBMLGupLFT2pskWB5liZ/aTMXT4k9UkUAOteA9BR/HdzEuZOh4hhAA1 f/IfLp1SyuDJTYnH7bmrWXLcdhiM0P9xBFHjO3rNj7VXF9x0zJP7vdtIknyCx3P247pAGVzLMv YB4bOWPLj90jZGL6iVb2aFE9eMLQeMNrdkq2tLPp9s3dTV6kadV73D3MPl9LnBL5MEAR9vzZRi Mhg= X-IronPort-AV: E=Sophos;i="5.75,332,1589270400"; d="scan'208";a="50886160" Received: from orw-gwy-02-in.mentorg.com ([192.94.38.167]) by esa4.mentor.iphmx.com with ESMTP; 09 Jul 2020 10:07:12 -0800 IronPort-SDR: SSiub24916+96E7Woe4h/zfkws7Ywb9g2S0EYCl83+N7Lc17E28EymSaKUar4y6QPL+ni4AKvT QEAOdJFwnogR0QDOBqSHcKq/qwO5ukwdSQQBjzC/DP4gE6/n95Ku62ipZ/d9xovaO0wtCu8GlY oghK8SeHUGboRL9pe8DtggDCfeuOXCUfCUlr592gSPDYvzENhxSZ2G/zy8N5oKSFCMDARLctqA aq/qtSTPD763mgtrAuNOMjj7pr/celC5Tof/hOusWChFFhLudf6xlo0T55R8LwCivKnmYlCGiP 1QU= Date: Thu, 9 Jul 2020 18:07:06 +0000 From: Joseph Myers X-X-Sender: jsm28@digraph.polyomino.org.uk To: Subject: Fix memory leak in __printf_fp_l (bug 26215) Message-ID: User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 X-Originating-IP: [137.202.0.90] X-ClientProxiedBy: svr-ies-mbx-02.mgc.mentorg.com (139.181.222.2) To SVR-IES-MBX-03.mgc.mentorg.com (139.181.222.3) X-Spam-Status: No, score=-3134.4 required=5.0 tests=BAYES_00, GIT_PATCH_0, HEADER_FROM_DIFFERENT_DOMAINS, KAM_DMARC_STATUS, KAM_SHORT, SPF_HELO_PASS, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" __printf_fp_l has a memory leak in the case of some I/O errors, where both buffer and wbuffer have been malloced but the handling of I/O errors only frees wbuffer. This patch fixes this by moving the declaration of buffer to an outer scope and ensuring that it is freed when wbuffer is freed. Tested for x86_64 and x86. Reviewed-by: Adhemerval Zanella --- This patch is relative to a tree with my previous fix for bug 26214 (pending review) applied. diff --git a/stdio-common/Makefile b/stdio-common/Makefile index dc3fd38a19..8475fd1f09 100644 --- a/stdio-common/Makefile +++ b/stdio-common/Makefile @@ -68,7 +68,8 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \ scanf14a scanf16a \ tst-printf-bz25691 \ tst-vfprintf-width-prec-alloc \ - tst-printf-fp-free + tst-printf-fp-free \ + tst-printf-fp-leak test-srcs = tst-unbputc tst-printf tst-printfsz-islongdouble @@ -80,12 +81,14 @@ tests-special += $(objpfx)tst-unbputc.out $(objpfx)tst-printf.out \ $(objpfx)tst-vfprintf-width-prec-mem.out \ $(objpfx)tst-printfsz-islongdouble.out \ $(objpfx)tst-printf-bz25691-mem.out \ - $(objpfx)tst-printf-fp-free-mem.out + $(objpfx)tst-printf-fp-free-mem.out \ + $(objpfx)tst-printf-fp-leak-mem.out generated += tst-printf-bz18872.c tst-printf-bz18872.mtrace \ tst-printf-bz18872-mem.out \ tst-vfprintf-width-prec.mtrace tst-vfprintf-width-prec-mem.out \ tst-printf-bz25691.mtrace tst-printf-bz25691-mem.out \ - tst-printf-fp-free.mtrace tst-printf-fp-free-mem.out + tst-printf-fp-free.mtrace tst-printf-fp-free-mem.out \ + tst-printf-fp-leak.mtrace tst-printf-fp-leak-mem.out endif tests-special += $(objpfx)tst-errno-manual.out @@ -113,6 +116,8 @@ tst-printf-bz25691-ENV = \ MALLOC_TRACE=$(objpfx)tst-printf-bz25691.mtrace tst-printf-fp-free-ENV = \ MALLOC_TRACE=$(objpfx)tst-printf-fp-free.mtrace +tst-printf-fp-leak-ENV = \ + MALLOC_TRACE=$(objpfx)tst-printf-fp-leak.mtrace $(objpfx)tst-unbputc.out: tst-unbputc.sh $(objpfx)tst-unbputc $(SHELL) $< $(common-objpfx) '$(test-program-prefix)' > $@; \ diff --git a/stdio-common/printf_fp.c b/stdio-common/printf_fp.c index 49c693575e..c0b79f2184 100644 --- a/stdio-common/printf_fp.c +++ b/stdio-common/printf_fp.c @@ -72,7 +72,10 @@ if (putc (outc, fp) == EOF) \ { \ if (buffer_malloced) \ - free (wbuffer); \ + { \ + free (buffer); \ + free (wbuffer); \ + } \ return -1; \ } \ ++done; \ @@ -87,7 +90,10 @@ if (PUT (fp, wide ? (const char *) wptr : ptr, outlen) != outlen) \ { \ if (buffer_malloced) \ - free (wbuffer); \ + { \ + free (buffer); \ + free (wbuffer); \ + } \ return -1; \ } \ ptr += outlen; \ @@ -110,7 +116,10 @@ if (PAD (fp, ch, len) != len) \ { \ if (buffer_malloced) \ - free (wbuffer); \ + { \ + free (buffer); \ + free (wbuffer); \ + } \ return -1; \ } \ done += len; \ @@ -259,7 +268,8 @@ __printf_fp_l (FILE *fp, locale_t loc, /* Buffer in which we produce the output. */ wchar_t *wbuffer = NULL; - /* Flag whether wbuffer is malloc'ed or not. */ + char *buffer = NULL; + /* Flag whether wbuffer and buffer are malloc'ed or not. */ int buffer_malloced = 0; p.expsign = 0; @@ -1172,7 +1182,6 @@ __printf_fp_l (FILE *fp, locale_t loc, PADN ('0', width); { - char *buffer = NULL; char *buffer_end = NULL; char *cp = NULL; char *tmpptr; @@ -1252,6 +1261,7 @@ __printf_fp_l (FILE *fp, locale_t loc, free (wbuffer); /* Avoid a double free if the subsequent PADN encounters an I/O error. */ + buffer = NULL; wbuffer = NULL; } } diff --git a/stdio-common/tst-printf-fp-leak.c b/stdio-common/tst-printf-fp-leak.c new file mode 100644 index 0000000000..da11a486dd --- /dev/null +++ b/stdio-common/tst-printf-fp-leak.c @@ -0,0 +1,34 @@ +/* Test memory leak in __printf_fp_l (bug 26215). + Copyright (C) 2020 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include + +static int +do_test (void) +{ + mtrace (); + FILE *fp = fopen ("/dev/full", "w"); + TEST_VERIFY_EXIT (fp != NULL); + TEST_COMPARE (fprintf (fp, "%.65536f", 1.0), -1); + fclose (fp); + return 0; +} + +#include