diff options
| author | Paul Eggert <eggert@cs.ucla.edu> | 2010-11-30 22:30:12 +0100 |
|---|---|---|
| committer | Jim Meyering <meyering@redhat.com> | 2010-12-01 07:13:06 +0100 |
| commit | 3afda5f0076beca786ecbe90875828eb6988a964 (patch) | |
| tree | a14bb414b71228d8e12f78886cb31d40aff35255 | |
| parent | 43d1112d01c0251076b5ec61605e45b101ab3e12 (diff) | |
| download | coreutils-3afda5f0076beca786ecbe90875828eb6988a964.tar.xz | |
sort -u: fix a thread-race pointer corruption bug
* src/sort.c (write_unique): Save the entire "struct line", not
just a pointer to one. Otherwise, with a multi-thread run,
sometimes, with some inputs, fillbuf would would win a race
and clobber a "saved->text" pointer in one thread just before
it was dereferenced in a comparison in another thread.
* NEWS (Bug fixes): Mention it.
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | src/sort.c | 6 |
2 files changed, 6 insertions, 3 deletions
@@ -7,6 +7,9 @@ GNU coreutils NEWS -*- outline -*- od now prints floating-point numbers without losing information, and it no longer omits spaces between floating-point columns in some cases. + sort -u with at least two threads could attempt to read through a + corrupted pointer. [bug introduced in coreutils-8.6] + ** New features split accepts the --number option to generate a specific number of files. diff --git a/src/sort.c b/src/sort.c index 7e25f6a0b..1aa1eb416 100644 --- a/src/sort.c +++ b/src/sort.c @@ -3226,13 +3226,13 @@ queue_pop (struct merge_node_queue *queue) static void write_unique (struct line const *line, FILE *tfp, char const *temp_output) { - static struct line const *saved = NULL; + static struct line saved; if (!unique) write_line (line, tfp, temp_output); - else if (!saved || compare (line, saved)) + else if (!saved.text || compare (line, &saved)) { - saved = line; + saved = *line; write_line (line, tfp, temp_output); } } |