Ticket #216 (Fixed)Tue Jul 21 15:24:22 UTC 2009
TextGadgets leaks RMA block containing handles for sliding heap if it can't be expanded
| Reported by: | Christopher Bazley (288) | Severity: | Major |
| Part: | RISC OS: Module | Release: | |
| Milestone: | Status | Fixed |
Details by Christopher Bazley (288):
The TextGadgets module maintains a dynamic array in an RMA block, where each element gives the base address and size of a block within its sliding heap (also the number of bytes free at the end of each block).
If every element of the dynamic array is in use and it cannot be expanded then the RMA block will be leaked and the layout of the sliding heap lost.
When the memory formerly allocated to the array is overwritten by other calls to SWI OS_Module, code which dereferences a ‘handle’ to get the base address or size of a sliding block is likely to crash horribly. Because the notional array size is not reset, any code which iterates over the array is also likely to crash.
Cause is an elementary error: assigning the return value of ‘realloc’ to the same variable which was passed as an input argument.
Changelog:
Modified by Jeffrey Lee (213) Sat, June 25 2011 - 22:44:12 GMT
- Status changed from Open to Fixed
This should now be fixed in TextGadgets 0.32.
