b1d1b5e1f8
cf/cf_loop.c and share/put.c tried to read the next pointer in an element of a linked list after freeing the element. ud/ud_copy.c tried to read beyond the end of the _defs_ array: it only has _nrexpldefs_ elements, not _nrdefs_ elements. These bugs caused core dumps on OpenBSD. Its malloc() put _defs_ near the end of a page, so reading beyond the end crossed into an unmapped page. Its free() wrote junk bytes and changed the next pointer to 0xdfdfdfdfdfdfdfdf. |
||
|---|---|---|
| .. | ||
| bo | ||
| ca | ||
| cf | ||
| cj | ||
| cs | ||
| descr | ||
| em_ego | ||
| ic | ||
| il | ||
| lv | ||
| ra | ||
| share | ||
| sp | ||
| sr | ||
| ud | ||
| Action | ||
| build.lua | ||