diff3: fix heap use-after-free; add minimal diff3 test coverage

Commit v3.3-42-g3b74a90, "FIXME: src/diff3: plug a leak" added an invalid use of free, leading to use-after-free in nearly any invocation of diff3. Revert that commit. * NEWS (Bug fixes): Mention it. * tests/diff3: New file, to add minimal test coverage. * tests/Makefile.am (TESTS): Add it. Reported by Bastian Beischer in http://bugs.gnu.org/24210
2026-01-27 01:44:20 +00:00 · 2016-08-13 18:53:36 -07:00 · 2016-08-13 18:53:36 -07:00 · 1a0df4396e
commit 1a0df4396e
parent 88d911dbc7
4 changed files with 34 additions and 1 deletions
--- a/3
+++ b/3
@ -4,6 +4,9 @@ GNU diffutils NEWS                                    -*- outline -*-

 ** Bug fixes

+  diff3 no longer malfunctions due to use-after-free
+  [bug introduced in 3.4]
+
  diff --color no longer colorizes when TERM=dumb


--- a/src/diff3.c
+++ b/src/diff3.c
@ -1039,7 +1039,6 @@ process_diff (char const *filea,

  *block_list_end = NULL;
  *last_block = bptr;
-  free (diff_contents);
  return block_list;
 }

--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@ -6,6 +6,7 @@ TESTS = \
  binary \
  brief-vs-stat-zero-kernel-lies \
  colliding-file-names \
+  diff3 \
  excess-slash \
  help-version	\
  function-line-vs-leading-space \
--- a/tests/diff3
+++ b/tests/diff3
@ -0,0 +1,30 @@
+#!/bin/sh
+# This would malfunction in diff-3.4
+
+. "${srcdir=.}/init.sh"; path_prepend_ ../src
+
+echo a > a || framework_failure_
+echo b > b || framework_failure_
+echo c > c || framework_failure_
+cat <<'EOF' > exp || framework_failure_
+====
+1:1c
+  a
+2:1c
+  b
+3:1c
+  c
+EOF
+
+fail=0
+
+diff3 a b c > out 2> err || fail=1
+compare exp out || fail=1
+compare /dev/null err || fail=1
+
+# Repeat, but with all three files the same:
+diff3 a a a > out 2> err || fail=1
+compare /dev/null out || fail=1
+compare /dev/null err || fail=1
+
+Exit $fail