vsnprintf() has "FILE f" and sets "f._bf._base = str;" (where str is what the user passes in). If user passes in NULL, __swsetup(&f) calls __smakebuf(&f), which allocates a buffer that isnt ever freed. /usr/src/lib/libc/stdio/vsnprintf.c Fix: if (!str) free(p._bf._base); /* just before the return (ret) */ How-To-Repeat: vsnprintf(NULL, 0, "yadda yadda!\n"); /* should do it */
State Changed From-To: open->closed thanks. fixed.
Responsible Changed From-To: freebsd-bugs->assar I fixed it
State Changed From-To: closed->open this bug still exists.
Responsible Changed From-To: assar->freebsd-bugs this bug still exists.
bin/36175 has a fix obtained from OpenBSD: http://www.FreeBSD.org/cgi/query-pr.cgi?pr=bin/36175 On 10:38-0700, May 30, 2002, billf@FreeBSD.ORG wrote: > Synopsis: vsprintf calls __swsetup, then __smakebuf, it allocates mem and never frees it > > State-Changed-From-To: closed->open > State-Changed-By: billf > State-Changed-When: Thu May 30 10:37:24 PDT 2002 > State-Changed-Why: > this bug still exists. > > > Responsible-Changed-From-To: assar->freebsd-bugs > Responsible-Changed-By: billf > Responsible-Changed-When: Thu May 30 10:37:24 PDT 2002 > Responsible-Changed-Why: > this bug still exists. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=26044 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-bugs" in the body of the message > > -- Maxim Konovalov, MAcomnet, Internet Dept., system engineer phone: +7 (095) 796-9079, mailto:maxim@macomnet.ru
State Changed From-To: open->closed see pr# 36175
Responsible Changed From-To: freebsd-bugs->billf see pr# 36175