Bug in liolib.c

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Bug in liolib.c

Daniel Silverstone
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

While chasing a nasty segfault bug in Aranha I came across an assumption in
liolib.c which is false and potentially dangerous.

When popen() is enabled, there is a line which reads:

ok = (pclose(f) != -1) || (fclose(f) == 0);

This is slightly false since pclose() can return -1 and set errno to ECHILD
if it had a problem finding the exit code of the child process. This causes
that line to go on to fclose() a FILE* which has already been pclose()d
successfully.

This causes memory corruption and eventually leads to unpleasant malloc()
failures etc.

changing that one line to:

errno = 0;
ok = (pclose(f) != -1);
if (!ok) {
~   if (errno == ECHILD) ok = 1;
~   else ok = (fclose(f) == 0);
}

seems to do the trick nicely.

I have released a new debian package with this patch in (5.0.2-4) and I urge
the lua team to carry something similar (perhaps with some ifdefs?) because
otherwise if Lua is embedded in an application which has its own child
reaper, using io.popen() will eventually result in segfaults.

D.


- --
Daniel Silverstone                         http://www.digital-scurf.org/
PGP mail accepted and encouraged.            Key Id: 2BC8 4016 2068 7895
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBBhxcK8hAFiBoeJURAuaRAJ9I2RTC9AJxJZ+HG6RKKVzO0Aas4gCfXKjv
a4gqObI9t+Gw/F/09qlQZ4U=
=7QJW
-----END PGP SIGNATURE-----