read after free in notmuch new

David Bremner david at tethera.net
Tue Feb 21 17:05:44 PST 2017


Tomi Ollila <tomi.ollila at iki.fi> writes:

> To me it looks like replacing g_hash_table_insert() with 
> g_hash_table_replace() would do the trick.
>
> (or even g_hash_table_add()!)
>
> One has to read the documentation a bit (and compare the docstrings of
> these 2 functions to guess the missing pieces) to get some understanding to
> this...
>

Hi Tomi;

Thanks for the suggestion. Unfortunately in my experiments it just
shifts the invalid memory access to a different piece of memory. I think
the problem is that a pointer to the previous copy of that key also
leaked a reference via last_ref, so when we kill that via
g_hash_table_replace it causes the same problem.

d


More information about the notmuch mailing list