VFS crash fixed
Andrew V. Samoilov
sav at bcs.zp.ua
Tue May 22 23:51:42 UTC 2001
Pavel Roskin wrote:
: Hello!
:
: This is perhaps one of the most serious bugs in MC I have ever fixed. The
: `columns' array wasn't cleaned up in vfs_split_text(). If the new string
: had less fields (i.e. spaces) than the old one, the some of the values in
: `columns' would point to the old string. Occasionally MC would try to
: access the "old" memory. This can cause it to crash, since the filesystems
: are freed after a timeout.
. . .
: I remember rare crashes in MC after intensive use of different types of
: VFS. This must be the fix for that problem.
It seems now mc will crash after derefencing of NULL(s).
The real problem is a buffer overflow. There are a lot of places where
index is incremented without checking of real number of members in columns.
May be it is more right to write a columns () function to return nth element
of that array.
And now it is more right fill `columns' with pointers to empty string ("").
Regards,
Andrew.
More information about the mc-devel
mailing list