System: patch version 2.0 Patch #: 9 Priority: LOW Subject: Reversed new-style context diff can cause double free(). From: lwall@sdcrdcf.UUCP Description: A new-style context diff that is reversed (-R) and that contains a hunk with an assumed old or new half is not freed properly. When there is a hunk-half assumed, the lines are duplicated internally by copying the pointers of the actual lines from the other half. A pair of variables then tell the freeing routine not to free that range of fake lines since they will be freed when the other half hunk is freed. The problem is that the routine that swaps halves of the hunk didn't update the variables to point to where the fake lines were moved to. Fix: From rn, say "| patch -d DIR", where DIR is your patch source directory. Outside of rn, say "cd DIR; patch #define PATCHLEVEL 9 Index: pch.c Prereq: 2.0.1.5 *** pch.c.old Thu Jun 4 16:20:28 1987 *** pch.c Thu Jun 4 16:20:43 1987 *************** *** 1,6 **** ! /* $Header: pch.c,v 2.0.1.5 87/01/30 22:47:42 lwall Exp $ * * $Log: pch.c,v $ * Revision 2.0.1.5 87/01/30 22:47:42 lwall * Improved responses to mangled patches. * --- 1,9 ---- ! /* $Header: pch.c,v 2.0.1.6 87/06/04 16:18:13 lwall Exp $ * * $Log: pch.c,v $ + * Revision 2.0.1.6 87/06/04 16:18:13 lwall + * pch_swap didn't swap p_bfake and p_efake. + * * Revision 2.0.1.5 87/01/30 22:47:42 lwall * Improved responses to mangled patches. * *************** *** 900,905 **** --- 903,915 ---- if (tp_char[i] == '\n') { /* account for possible blank line */ blankline = TRUE; i++; + } + if (p_efake >= 0) { /* fix non-freeable ptr range */ + n = p_end - i + 1; + if (p_efake > i) + n = -n; + p_efake += n; + p_bfake += n; } for (n=0; i <= p_end; i++,n++) { p_line[n] = tp_line[i];