Two use-after-free bugs.
marco.bodrato at tutanota.com
marco.bodrato at tutanota.com
Thu Mar 19 01:15:12 CET 2026
Ciao,
the subject is "use after free", can you show a piece of code that triggers this bug?
Where the pointed memory is actually freed before being used or it is really
used after calling free?
16 mar 2026, 22:56 da jallison at ciq.com:
> Bug #1:
> --------------------------------------------------------------------------------
> mpf_get_str() can realloc the str pointer passed into it, so the use
>
> of str in strlen() on line 79 can be pointing at freed memory.
>
> 312 /* If the string was alloced then resize it down to the actual space
> 313 required. */
>
Are you sure?
The comment says that the opposite: can realloc if the pointer
was NOT passed.
> ------------------------------------------------------------------
> Bug #2
> ------------------------------------------------------------------
>
> In printf/asprntffuns.c: __gmp_asprintf_final looks like:
>
> 63 __gmp_asprintf_final (struct gmp_asprintf_t *d)
> 64 {
> 65 char *buf = d->buf;
> 66 ASSERT (d->alloc >= d->size + 1);
> 67 buf[d->size] = '\0';
> 68 __GMP_REALLOCATE_FUNC_MAYBE_TYPE (buf, d->alloc, d->size+1, char);
> 69 *d->result = buf;
> 70 return 0;
> 71 }
>
> If __GMP_REALLOCATE_FUNC_MAYBE_TYPE changes buf, as realloc() is wont
> to do, then d->buf is left as a wild pointer.
>
And is there a line of code using d->buf after the call to __gmp_asprintf_final ?
Ĝis,mb
More information about the gmp-bugs
mailing list