From: Darrick J. Wong Date: Thu, 4 Jan 2018 19:58:29 +0000 (-0600) Subject: xfs_db: fix crash when field list selector string has trailing slash X-Git-Tag: v4.15.0-rc1~59 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=945e47e2fcc5d1cec693122286da06d8ab829c52;p=thirdparty%2Fxfsprogs-dev.git xfs_db: fix crash when field list selector string has trailing slash If I run the following command: xfs_db /dev/sdf -x -c 'agf 0' -c 'addr refcntroot' -c 'addr ptrs[1]\' it errors out with "bad character in field \" and then ftok_free crashes on an invalid free() because picking up the previous token (the closing bracket) xrealloc'd the token array to be 5 elements long but never set the last element's tok pointer. Consequently the ftok_free tries to free whatever garbage pointer is in that last element and kaboom. Signed-off-by: Darrick J. Wong Reviewed-by: Eric Sandeen [sandeen: slightly clarify commit log] Signed-off-by: Eric Sandeen --- diff --git a/db/flist.c b/db/flist.c index e11acbfcb..b207354a5 100644 --- a/db/flist.c +++ b/db/flist.c @@ -400,6 +400,7 @@ flist_split( strncpy(a, s, l); a[l] = '\0'; v = xrealloc(v, (nv + 2) * sizeof(*v)); + v[nv + 1].tok = NULL; v[nv].tok = a; v[nv].tokty = t; nv++;