Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!rutgers!ames!cit-vax!elroy!smeagol!usc-oberon!sdcrdcf!lwall
From: lwall@sdcrdcf.UUCP (Larry Wall)
Newsgroups: net.sources.bugs
Subject: patch 2.0 patch #6
Message-ID: <3667@sdcrdcf.UUCP>
Date: Mon, 5-Jan-87 20:09:50 EST
Article-I.D.: sdcrdcf.3667
Posted: Mon Jan  5 20:09:50 1987
Date-Received: Sat, 10-Jan-87 08:40:53 EST
Organization: System Development Corporation, Santa Monica
Lines: 158
Summary: This is an official patch for patch 2.0.  Please apply it.

System: patch version 2.0
Patch #: 6
Priority: HIGH
Subject: New-style context diffs can cause double call to free().
From: lwall@sdcrdcf (Larry Wall)

Description:
	When either the pattern section or the replacement section of
	a hunk is omitted, patch copies the corresponding line from
	the other section.  It does this by copying the pointer, not
	by copying the line, so when the hunk is later freed, some
	lines are freed twice.  This gives heartburn to many varieties
	of the malloc package.

Fix:	From rn, say "| patch -d DIR", where DIR is your patch source
	directory.  Outside of rn, say "cd DIR; patch  #define PATCHLEVEL 6
 
Index: pch.c
Prereq: 2.0.1.3
*** pch.c.old	Mon Jan  5 17:03:02 1987
*** pch.c	Mon Jan  5 17:03:26 1987
***************
*** 1,4
! /* $Header: pch.c,v 2.0.1.3 86/11/14 10:08:33 lwall Exp $
   *
   * $Log:	pch.c,v $
   * Revision 2.0.1.3  86/11/14  10:08:33  lwall

--- 1,4 -----
! /* $Header: pch.c,v 2.0.1.4 87/01/05 16:59:53 lwall Exp $
   *
   * $Log:	pch.c,v $
   * Revision 2.0.1.4  87/01/05  16:59:53  lwall
***************
*** 1,6
  /* $Header: pch.c,v 2.0.1.3 86/11/14 10:08:33 lwall Exp $
   *
   * $Log:	pch.c,v $
   * Revision 2.0.1.3  86/11/14  10:08:33  lwall
   * Fixed problem where a long pattern wouldn't grow the hunk.
   * Also restored p_input_line when backtracking so error messages are right.

--- 1,9 -----
  /* $Header: pch.c,v 2.0.1.4 87/01/05 16:59:53 lwall Exp $
   *
   * $Log:	pch.c,v $
+  * Revision 2.0.1.4  87/01/05  16:59:53  lwall
+  * New-style context diffs caused double call to free().
+  * 
   * Revision 2.0.1.3  86/11/14  10:08:33  lwall
   * Fixed problem where a long pattern wouldn't grow the hunk.
   * Also restored p_input_line when backtracking so error messages are right.
***************
*** 40,45
  static int p_indent;			/* indent to patch */
  static LINENUM p_base;			/* where to intuit this time */
  static LINENUM p_start;			/* where intuit found a patch */
  
  /* Prepare to look for the next patch in the patch file. */
  

--- 43,50 -----
  static int p_indent;			/* indent to patch */
  static LINENUM p_base;			/* where to intuit this time */
  static LINENUM p_start;			/* where intuit found a patch */
+ static LINENUM p_efake = -1;		/* end of faked up lines--don't free */
+ static LINENUM p_bfake = -1;		/* beg of faked up lines */
  
  /* Prepare to look for the next patch in the patch file. */
  
***************
*** 386,393
      Reg2 int context = 0;
  
      while (p_end >= 0) {
! 	free(p_line[p_end]);		/* Changed from postdecrement */
! 	p_end--;			/* by Keenan Ross for BSD2.9  */
      }
      assert(p_end == -1);
  

--- 391,401 -----
      Reg2 int context = 0;
  
      while (p_end >= 0) {
! 	if (p_end == p_efake)
! 	    p_end = p_bfake;		/* don't free twice */
! 	else
! 	    free(p_line[p_end]);
! 	p_end--;
      }
      assert(p_end == -1);
      p_efake = -1;
***************
*** 390,395
  	p_end--;			/* by Keenan Ross for BSD2.9  */
      }
      assert(p_end == -1);
  
      p_max = hunkmax;			/* gets reduced when --- found */
      if (diff_type == CONTEXT_DIFF || diff_type == NEW_CONTEXT_DIFF) {

--- 398,404 -----
  	p_end--;
      }
      assert(p_end == -1);
+     p_efake = -1;
  
      p_max = hunkmax;			/* gets reduced when --- found */
      if (diff_type == CONTEXT_DIFF || diff_type == NEW_CONTEXT_DIFF) {
***************
*** 637,642
  	
  	/* if there were omitted context lines, fill them in now */
  	if (fillcnt) {
  	    while (fillcnt-- > 0) {
  		while (p_char[fillsrc] != ' ')
  		    fillsrc++;

--- 646,653 -----
  	
  	/* if there were omitted context lines, fill them in now */
  	if (fillcnt) {
+ 	    p_bfake = filldst;		/* remember where not to free() */
+ 	    p_efake = filldst + fillcnt - 1;
  	    while (fillcnt-- > 0) {
  		while (p_char[fillsrc] != ' ')
  		    fillsrc++;