www.delorie.com/djgpp/bugs/show.cgi   search  
Bug 000058

When Created: 02/12/1996 05:37:54
Against DJGPP version: 2.00
By whom: karn@unix.ka9q.ampr.org
Abstract: _go32_dpmi_free_real_mode_callback() passes bad pointer to free()
Calling _go32_dpmi_free_real_mode_callback() passes a bad pointer to free()
as it tries to free the previously allocated interrupt stack.

Solution added: 02/12/1996 05:38:33
By whom: karn@unix.ka9q.ampr.org
I have found and fixed an apparent bug in src/libc/go32/gormcb.c in
the released v2. I haven't checked the latest beta version, but
I can't find any mention of this bug in the bug tracking system.

The symptom is that _go32_dpmi_free_real_mode_callback()
passes a bad pointer to free() when it tries to free the interrupt
stack. (I detected this with my own malloc/free code that
checks the hidden header in a memory block for invalid contents).

The problem appears to be with the code that extracts the allocated
stack address from where an offset from it was stashed in the data area
at the base of the interrupt stack. This offset doesn't match the value
stored when the callback was set up. Here's the fix:

src/libc/go32/gormcb.c
190c190
<   stack = (char *)(*(long *)((long) info->size+0x12) - 8);
---
>   stack = (char *)(*(long *)((long) info->size+0x12) - 4); /* fix prk */

--Phil

Fixed in version 2.01 on 06/13/1996 00:41:34
By whom: dj@delorie.com



  webmaster   donations   bookstore     delorie software   privacy  
  Copyright 2010   by DJ Delorie     Updated Jul 2010