[Toybox] [PATCH 1] Fix segfault in config2help

Patrick Oppenlander patrick.oppenlander at gmail.com
Wed Sep 20 22:48:22 PDT 2017


For some reason config2help started segfaulting on me.

As config2help searches for matches it holds on to a 'name' pointer which can be unexpectedly free'd.

============8<===============

commit f396a76e33f4524b3050ae033ab8c8b5d0b46ed5
Author: Patrick Oppenlander <patrick.oppenlander at gmail.com>
Date:   Thu Sep 21 15:22:25 2017 +1000

     fix segfault in config2help
     
     'name' used to reference memory in catch->help->data which is later
     released by free(tusage).
     
     One 'name' is leaked on exit.

diff --git a/scripts/config2help.c b/scripts/config2help.c
index 575b7b8..d238939 100644
--- a/scripts/config2help.c
+++ b/scripts/config2help.c
@@ -262,7 +262,7 @@ int main(int argc, char *argv[])
    // entry until we run out of matching pairs.
    for (;;) {
      struct symbol *throw = 0, *catch;
-    char *this, *that, *cusage, *tusage, *name;
+    char *this, *that, *cusage, *tusage, *name = 0;
      int len;
  
      // find a usage: name and collate all enabled entries with that name
@@ -270,16 +270,18 @@ int main(int argc, char *argv[])
        if (catch->enabled != 1) continue;
        if (catch->help && (that = keyword("usage:", catch->help->data))) {
          struct double_list *cfrom, *tfrom, *anchor;
-        char *try, **cdashlines, **tdashlines;
+        char *try, **cdashlines, **tdashlines, *usage;
          int clen, tlen;
  
          // Align usage: lines, finding a matching pair so we can suck help
          // text out of throw into catch, copying from this to that
-        if (!throw) name = that;
+        if (!throw) usage = that;
          else if (strncmp(name, that, len) || !isspace(that[len])) continue;
          catch->enabled++;
          while (!isspace(*that) && *that) that++;
-        if (!throw) len = that-name;
+        if (!throw) len = that-usage;
+        free(name);
+        name = strndup(usage, len);
          that = skip_spaces(that);
          if (!throw) {
            throw = catch;


More information about the Toybox mailing list