Heap corruption in win32 compiled by VC

dubstep · July 13, 2011, 7:37am

I checkout the newest code from svn and compiled it by vc, but an
exception occurred. So I modified cl option to -MTd compiled again.
The windbg shows that CheckBytes function return false when calling
ngx_free() at ngx_shmem.c:43.

I think that ngx_sprintf must put more than name’s alloc size bytes into
name, So I use ngx_snprintf to replace ngx_sprintf. The problem
disappeared. Is it useful?

name = ngx_alloc(shm->name.len + 2 + sizeof(NGX_INT32_LEN),

shm->log);
if (name == NULL) {
return NGX_ERROR;
}

(void) ngx_sprintf(name, “%V_%s%Z”, &shm->name, ngx_unique);

(void) ngx_snprintf(name, shm->name.len + 2 +
sizeof(NGX_INT32_LEN),

                               "%V_%s%Z", &shm->name, ngx_unique);

Posted at Nginx Forum:

bigplum · July 13, 2011, 12:59pm

Hello!

On Wed, Jul 13, 2011 at 01:36:38AM -0400, bigplum wrote:

shm->log);
if (name == NULL) {
return NGX_ERROR;
}

(void) ngx_sprintf(name, “%V_%s%Z”, &shm->name, ngx_unique);
(void) ngx_snprintf(name, shm->name.len + 2 +
sizeof(NGX_INT32_LEN),
                               "%V_%s%Z", &shm->name, ngx_unique);

The fact that patch helps suggests that ngx_unique wasn’t set
properly. Looks like ./configure problem for me.

(on the other hand, setting ngx_unique needs more sanity checking
anyway: looks like it currently just trusts environment if it’s
found, not a good thing to do)

Maxim D.