From 945e47e2fcc5d1cec693122286da06d8ab829c52 Mon Sep 17 00:00:00 2001 From: "Darrick J. Wong" Date: Thu, 4 Jan 2018 13:58:29 -0600 Subject: [PATCH] xfs_db: fix crash when field list selector string has trailing slash If I run the following command: xfs_db /dev/sdf -x -c 'agf 0' -c 'addr refcntroot' -c 'addr ptrs[1]\' it errors out with "bad character in field \" and then ftok_free crashes on an invalid free() because picking up the previous token (the closing bracket) xrealloc'd the token array to be 5 elements long but never set the last element's tok pointer. Consequently the ftok_free tries to free whatever garbage pointer is in that last element and kaboom. Signed-off-by: Darrick J. Wong Reviewed-by: Eric Sandeen [sandeen: slightly clarify commit log] Signed-off-by: Eric Sandeen --- db/flist.c | 1 + 1 file changed, 1 insertion(+) Index: xfsprogs-4.5.0/db/flist.c =================================================================== --- xfsprogs-4.5.0.orig/db/flist.c +++ xfsprogs-4.5.0/db/flist.c @@ -400,6 +400,7 @@ flist_split( strncpy(a, s, l); a[l] = '\0'; v = xrealloc(v, (nv + 2) * sizeof(*v)); + v[nv + 1].tok = NULL; v[nv].tok = a; v[nv].tokty = t; nv++;