This is the mail archive of the gdb-prs@sourceware.org mailing list for the GDB project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug tui/18350] New: Invalid free() in tui_check_register_values() [Heap Corruption]

From: "proto0x0 at gmail dot com" <sourceware-bugzilla at sourceware dot org>
To: gdb-prs at sourceware dot org
Date: Tue, 28 Apr 2015 21:13:09 +0000
Subject: [Bug tui/18350] New: Invalid free() in tui_check_register_values() [Heap Corruption]
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=18350

            Bug ID: 18350
           Summary: Invalid free() in tui_check_register_values() [Heap
                    Corruption]
           Product: gdb
           Version: 7.9
            Status: NEW
          Severity: normal
          Priority: P2
         Component: tui
          Assignee: unassigned at sourceware dot org
          Reporter: proto0x0 at gmail dot com
  Target Milestone: ---
             Flags: security?

System: 

Linux -redacted- 3.19.3-3-ARCH #1 SMP PREEMPT Wed Apr 8 14:10:00 CEST 2015
x86_64 GNU/Linux
GNU gdb (GDB) 7.9

During a debugging session, I opened two stacked TUI windows up (registers and
source), and cycled the first window twice (once forward, once backwards).
After this I was given a coredump and abort() was called by gdb.

*** Error in `gdb': free(): invalid next size (fast): 0x0000000002e8b200 ***
...(Garbled by curses output)...
warning: Invalid window specified. 
gdb[0x5536f4]
The window name specified must be valid and visible.
Focus set to Cgdb[0x5a1f47]

Examining the coredump shows the following backtrace:

#0  0x00007faef65584b7 in raise () from /usr/lib/libc.so.6
#1  0x00007faef655988a in abort () from /usr/lib/libc.so.6
#2  0x00007faef6596993 in __libc_message () from /usr/lib/libc.so.6
#3  0x00007faef659bdee in malloc_printerr () from /usr/lib/libc.so.6
#4  0x00007faef659c5cb in _int_free () from /usr/lib/libc.so.6
#5  0x00000000004edb10 in tui_check_register_values ()
#6  0x00000000004ea422 in ?? ()
#7  0x0000000000687fe9 in select_frame ()
#8  0x00000000005b8cfd in ?? ()
#9  0x0000000000562826 in ?? ()
#10 0x00000000005536f4 in ?? ()
#11 0x00000000005af170 in proceed ()
#12 0x00000000005a1f47 in ?? ()
#13 0x00000000005a3dc8 in ?? ()
#14 0x000000000067f57c in execute_command ()
#15 0x00000000005c40a5 in ?? ()
#16 0x00000000005c4734 in ?? ()
#17 0x00007faef804625e in rl_callback_read_char () from
/usr/lib/libreadline.so.6
#18 0x00000000005c4109 in ?? ()
#19 0x00000000005c4153 in stdin_event_handler ()
#20 0x00000000005c2f25 in ?? ()
#21 0x00000000005c31b8 in gdb_do_one_event ()
#22 0x00000000005c329e in start_event_loop ()
#23 0x00000000005bd073 in ?? ()
#24 0x00000000005ba425 in catch_errors ()
#25 0x00000000005be0be in ?? ()
#26 0x00000000005ba425 in catch_errors ()
#27 0x00000000005be42b in gdb_main ()
#28 0x000000000045dd15 in main ()

The coredump seems to follow a call to xfree() (probably from within
`tui_get_register()`).

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Follow-Ups:
- [Bug tui/18350] Invalid free() in tui_check_register_values() [Heap Corruption]
  - From: proto0x0 at gmail dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]