|
From: Yura P. <cha...@us...> - 2005-07-02 13:58:14
|
Changes by: cha0smaster Update of /cvsroot/linux-ntfs/ntfsprogs/libntfs In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv21830/libntfs Modified Files: inode.c Log Message: Fix memory managament error in ntfs_inode_close. ntfs_extent_inode_open allocates buffer for up to 4 extent inodes, to prevent many reallocates. But ntfs_inode_close always reallocate buffer to store exactly @nr_extents inodes. Bug will arise in following scenario: 1) ntfs_extent_inode_open (1 extent, allocate buffer for 4) 2) ntfs_extent_inode_open (2 extents, use already allocated buffer) 3) ntfs_inode_close(extent_ni) (1 extent, reallocate buffer for 1 extent) 4) ntfs_extent_inode_open (2 extents, don't reallocate buffer because it should be for 4 elements, but really it's for 1, write to unitialized space, segfault) Index: inode.c =================================================================== RCS file: /cvsroot/linux-ntfs/ntfsprogs/libntfs/inode.c,v retrieving revision 1.58 retrieving revision 1.59 diff -u -p -r1.58 -r1.59 --- inode.c 27 Jun 2005 20:30:09 -0000 1.58 +++ inode.c 2 Jul 2005 13:58:02 -0000 1.59 @@ -255,7 +255,8 @@ int ntfs_inode_close(ntfs_inode *ni) */ if (--base_ni->nr_extents) { /* Resize the memory buffer. */ - tmp_nis = realloc(tmp_nis, base_ni->nr_extents * + tmp_nis = realloc(tmp_nis, ((base_ni-> + nr_extents + 3) & ~3) * sizeof(ntfs_inode *)); /* Ignore errors, they don't really matter. */ if (tmp_nis) |
