Opened 5 years ago

Closed 5 years ago

#1316 closed defect/bug (fixed)

Use-after-free bug in binfile.c

Reported by: lessandro Owned by: KaZeR
Priority: major Milestone: version 0.5.0
Component: core Version: git master
Severity: normal Keywords:
Cc:

Description

I've ran Navit through a dynamic analysis tool (Pareon Verify) and found several memory leaks, code using memory that has already been free'd, and code using memory that has not been initialized.

I've added the report from the tool for the use-after-free case as an attachment. Here's my analysis of it, which happens in binfile.c:2128-2140.

1 ->    map_rec = map_rect_new_binfile(map, NULL);
2 ->    town = map_rect_get_item_byid_binfile(map_rec, map->last_searched_town_id_hi, map->last_searched_town_id_lo);
        if (town)
            msp->mr = binmap_search_street_by_place(map, town, &c, &msp->ms, &msp->boundaries);
3 ->    map_rect_destroy_binfile(map_rec);
        if (msp->boundaries)
            dbg(lvl_debug, "using map town boundaries\n");
        if (!msp->boundaries && town)
            {
4 ->            binmap_get_estimated_boundaries(town, &msp->boundaries);
                if (msp->boundaries)
                    dbg(lvl_debug, "using estimated boundaries\n");
            }
  1. map_rec allocated
  2. town is a pointer to a field inside map_rec
  3. map_rec freed, therefore town now points to deallocated memory
  4. town is used

A fix for this would be to move the deallocation (3) further down the switch case.

Attachments (1)

report.txt (3.3 KB) - added by lessandro 5 years ago.

Download all attachments as: .zip

Change History (2)

Changed 5 years ago by lessandro

comment:1 Changed 5 years ago by kazer

  • Milestone set to version 0.5.0
  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.