Fix a memory leak of a class name from retrieve_hook() on an exception
This commit is contained in:
Petr Písař
parent
73872437b6
commit
d76f7a7ba8
|
|
@ -0,0 +1,81 @@
|
|||
From 979ae704ddc9e6f19d8dbf7a83bea155065ef3cc Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Mon, 6 Feb 2017 15:26:09 +0100
|
||||
Subject: [PATCH] prevent leak of class name from retrieve_hook() on an
|
||||
exception
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Ported from perl:
|
||||
|
||||
commit da1ec2b1b9abdfd956d9c539abf39d908d046304
|
||||
Author: Tony Cook <tony@develop-help.com>
|
||||
Date: Mon Feb 6 11:38:10 2017 +1100
|
||||
|
||||
prevent leak of class name from retrieve_hook() on an exception
|
||||
|
||||
If supplied with a large class name, retrieve_hook() allocates
|
||||
buffer for the class name and Safefree()s it on exit path.
|
||||
|
||||
Unfortunately this memory leaks if load_module() (or a couple of other
|
||||
code paths) throw an exception.
|
||||
|
||||
So use SAVEFREEPV() to release the memory instead.
|
||||
|
||||
==20183== 193 bytes in 1 blocks are definitely lost in loss record 4 of 6
|
||||
==20183== at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
|
||||
==20183== by 0x55F85D: Perl_safesysmalloc (util.c:153)
|
||||
==20183== by 0x6ACA046: retrieve_hook (Storable.xs:4265)
|
||||
==20183== by 0x6AD6D19: retrieve (Storable.xs:6217)
|
||||
==20183== by 0x6AD8144: do_retrieve (Storable.xs:6401)
|
||||
==20183== by 0x6AD85B7: pretrieve (Storable.xs:6506)
|
||||
==20183== by 0x6AD8E14: XS_Storable_pretrieve (Storable.xs:6718)
|
||||
==20183== by 0x5C176D: Perl_pp_entersub (pp_hot.c:4227)
|
||||
==20183== by 0x55E1C6: Perl_runops_debug (dump.c:2450)
|
||||
==20183== by 0x461B79: S_run_body (perl.c:2528)
|
||||
==20183== by 0x46115C: perl_run (perl.c:2451)
|
||||
==20183== by 0x41F1CD: main (perlmain.c:123)
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
Storable.xs | 9 +++++----
|
||||
1 file changed, 5 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/Storable.xs b/Storable.xs
|
||||
index 3cce3ed..75ce3df 100644
|
||||
--- a/Storable.xs
|
||||
+++ b/Storable.xs
|
||||
@@ -4249,6 +4249,11 @@ static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname)
|
||||
|
||||
TRACEME(("class name: %s", classname));
|
||||
|
||||
+ if (!(flags & SHF_IDX_CLASSNAME) && classname != buf) {
|
||||
+ /* some execution paths can throw an exception */
|
||||
+ SAVEFREEPV(classname);
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* Decode user-frozen string length and read it in an SV.
|
||||
*
|
||||
@@ -4367,8 +4372,6 @@ static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname)
|
||||
SEEN0(sv, 0);
|
||||
SvRV_set(attached, NULL);
|
||||
SvREFCNT_dec(attached);
|
||||
- if (!(flags & SHF_IDX_CLASSNAME) && classname != buf)
|
||||
- Safefree(classname);
|
||||
return sv;
|
||||
}
|
||||
CROAK(("STORABLE_attach did not return a %s object", classname));
|
||||
@@ -4449,8 +4452,6 @@ static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname)
|
||||
SvREFCNT_dec(frozen);
|
||||
av_undef(av);
|
||||
sv_free((SV *) av);
|
||||
- if (!(flags & SHF_IDX_CLASSNAME) && classname != buf)
|
||||
- Safefree(classname);
|
||||
|
||||
/*
|
||||
* If we had an <extra> type, then the object was not as simple, and
|
||||
--
|
||||
2.7.4
|
||||
|
||||
|
|
@ -21,6 +21,9 @@ Patch3: perl-5.25.7-Fix-Storable-segfaults.patch
|
|||
# Fix a stack buffer overflow in deserialization of hooks, RT#130635,
|
||||
# fixed in perl after 5.25.9
|
||||
Patch4: Storable-2.56-Fix-stack-buffer-overflow-in-deserialization-of-hook.patch
|
||||
# Fix a memory leak of a class name from retrieve_hook() on an exception,
|
||||
# RT#130635, fixed in perl after 5.25.9
|
||||
Patch5: Storable-2.56-prevent-leak-of-class-name-from-retrieve_hook-on-an-.patch
|
||||
BuildRequires: coreutils
|
||||
BuildRequires: gcc
|
||||
BuildRequires: make
|
||||
|
|
@ -81,6 +84,7 @@ can be conveniently stored to disk and retrieved at a later time.
|
|||
%patch2 -p1
|
||||
%patch3 -p3
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
# Remove bundled modules
|
||||
rm -rf t/compat
|
||||
sed -i -e '/^t\/compat\//d' MANIFEST
|
||||
|
|
@ -109,6 +113,8 @@ make test
|
|||
%changelog
|
||||
* Mon Feb 06 2017 Petr Pisar <ppisar@redhat.com> - 1:2.56-368
|
||||
- Fix a stack buffer overflow in deserialization of hooks (RT#130635)
|
||||
- Fix a memory leak of a class name from retrieve_hook() on an exception
|
||||
(RT#130635)
|
||||
|
||||
* Tue Dec 20 2016 Petr Pisar <ppisar@redhat.com> - 1:2.56-367
|
||||
- Fix crash in Storable when deserializing malformed code reference
|
||||
|
|
|
|||
Loading…
Reference in New Issue