Opened 5 years ago
Closed 5 years ago
#1316 closed defect/bug (fixed)
Use-after-free bug in binfile.c
| Reported by: | lessandro | Owned by: | KaZeR |
|---|---|---|---|
| Priority: | major | Milestone: | version 0.5.0 |
| Component: | core | Version: | git master |
| Severity: | normal | Keywords: | |
| Cc: |
Description
I've ran Navit through a dynamic analysis tool (Pareon Verify) and found several memory leaks, code using memory that has already been free'd, and code using memory that has not been initialized.
I've added the report from the tool for the use-after-free case as an attachment. Here's my analysis of it, which happens in binfile.c:2128-2140.
1 -> map_rec = map_rect_new_binfile(map, NULL);
2 -> town = map_rect_get_item_byid_binfile(map_rec, map->last_searched_town_id_hi, map->last_searched_town_id_lo);
if (town)
msp->mr = binmap_search_street_by_place(map, town, &c, &msp->ms, &msp->boundaries);
3 -> map_rect_destroy_binfile(map_rec);
if (msp->boundaries)
dbg(lvl_debug, "using map town boundaries\n");
if (!msp->boundaries && town)
{
4 -> binmap_get_estimated_boundaries(town, &msp->boundaries);
if (msp->boundaries)
dbg(lvl_debug, "using estimated boundaries\n");
}
- map_rec allocated
- town is a pointer to a field inside map_rec
- map_rec freed, therefore town now points to deallocated memory
- town is used
A fix for this would be to move the deallocation (3) further down the switch case.
Attachments (1)
Change History (2)
Changed 5 years ago by lessandro
comment:1 Changed 5 years ago by kazer
- Milestone set to version 0.5.0
- Resolution set to fixed
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
Thanks Lessandro!
This has been addressed in https://github.com/navit-gps/navit/commit/3bd575edb416a23bd0d7288f9eb44297ac26e624