Avoid referencing free'd memory

Detail: The Unlink macro also released the memory back to the RMA, but in 2 cases passed the old pointer around in a service call. Change Unlink to only remove from the linked list, and add a Free macro to do the release after the service call. Admin: Spotted by Colin Granville. Version 0.73. Tagged as 'DeviceFS-0_73'

Avoid referencing free'd memory
Detail: The Unlink macro also released the memory back to the RMA, but in 2 cases passed the old pointer around in a service call. Change Unlink to only remove from the linked list, and add a Free macro to do the release after the service call. Admin: Spotted by Colin Granville. Version 0.73. Tagged as 'DeviceFS-0_73'
5cfd49c3 · ROOL · 54e89e2f · 5cfd49c3 · 5cfd49c3 · 5cfd49c3
Commit 5cfd49c3 authored 8 years ago by ROOL
Hide whitespace changes
Inline Side-by-side

Showing with 43 additions and 26 deletions

VersionASM VersionASM +6 -6

VersionNum VersionNum +10 -10

s/DeviceFS s/DeviceFS +7 -5

s/FSystem s/FSystem +1 -1

s/Macros s/Macros +19 -4

No files found.
--- a/VersionASM
+++ b/VersionASM
@@ -11,13 +11,13 @@
                        GBLS    Module_HelpVersion
                        GBLS    Module_ComponentName
                        GBLS    Module_ComponentPath
-Module_MajorVersion     SETS    "0.72"
-Module_Version          SETA    72
+Module_MajorVersion     SETS    "0.73"
+Module_Version          SETA    73
 Module_MinorVersion     SETS    ""
-Module_Date             SETS    "06 Jun 2015"
-Module_ApplicationDate  SETS    "06-Jun-15"
+Module_Date             SETS    "23 Apr 2016"
+Module_ApplicationDate  SETS    "23-Apr-16"
 Module_ComponentName    SETS    "DeviceFS"
 Module_ComponentPath    SETS    "castle/RiscOS/Sources/HWSupport/DeviceFS"
-Module_FullVersion      SETS    "0.72"
-Module_HelpVersion      SETS    "0.72 (06 Jun 2015)"
+Module_FullVersion      SETS    "0.73"
+Module_HelpVersion      SETS    "0.73 (23 Apr 2016)"
                        END
--- a/VersionNum
+++ b/VersionNum
-/* (0.72)
+/* (0.73)
 *
 * This file is automatically maintained by srccommit, do not edit manually.
 * Last processed by srccommit version: 1.1.
 *
 */
-#define Module_MajorVersion_CMHG        0.72
+#define Module_MajorVersion_CMHG        0.73
 #define Module_MinorVersion_CMHG        
-#define Module_Date_CMHG                06 Jun 2015
+#define Module_Date_CMHG                23 Apr 2016

-#define Module_MajorVersion             "0.72"
-#define Module_Version                  72
+#define Module_MajorVersion             "0.73"
+#define Module_Version                  73
 #define Module_MinorVersion             ""
-#define Module_Date                     "06 Jun 2015"
+#define Module_Date                     "23 Apr 2016"

-#define Module_ApplicationDate          "06-Jun-15"
+#define Module_ApplicationDate          "23-Apr-16"

 #define Module_ComponentName            "DeviceFS"
 #define Module_ComponentPath            "castle/RiscOS/Sources/HWSupport/DeviceFS"

-#define Module_FullVersion              "0.72"
-#define Module_HelpVersion              "0.72 (06 Jun 2015)"
-#define Module_LibraryVersionInfo       "0:72"
+#define Module_FullVersion              "0.73"
+#define Module_HelpVersion              "0.73 (23 Apr 2016)"
+#define Module_LibraryVersionInfo       "0:73"
--- a/s/DeviceFS
+++ b/s/DeviceFS
@@ -853,7 +853,6 @@ Deregister      Entry   "r0-dr"
                BVS     %10                                     ; return any errors that may generate

                Unlink  ParentsAt, parent, pr, r3, r4
-                BVS     %10                                     ; return any errors

                MOV     r0, #0
                LDR     r1, =Service_DeviceDead
@@ -863,6 +862,8 @@ Deregister      Entry   "r0-dr"

                LDR     r3, =&DEADDEAD
                STR     r3, [pr, #parent_ValidationWord]        ; zap validation word
+                Free    pr
+                BVS     %FT10
                MOV     pr, r3

                PullEnv
@@ -1355,8 +1356,7 @@ deregisterdev   Entry   "r0, r2-r5, pr"
                MOV     r2, r5
                SWI     XOS_Module                              ; and release the block of workspace
 15
-                Unlink  DevicesAt, device, dr, r3, r4
-                BVS     %20                                     ; and then remove the block
+                Unlink  DevicesAt, device, dr, r3, r4           ; and then remove the block

                LDR     r0, [pr, #parent_ChildCount]
                SUB     r0, r0, #1
@@ -1373,8 +1373,10 @@ deregisterdev   Entry   "r0, r2-r5, pr"
                Debug   deregister, "service call issued"

                LDR     r3, =&DEADDEAD
-                STR     r3, [dr, #device_ValidationWord]        ; zap the validation word associated with file
-                MOV     dr, r3                                  ; and then ensure that the device register if
+                STR     r3, [dr, #device_ValidationWord]        ; zap validation word
+                Free    dr
+                BVS     %FT20
+                MOV     dr, r3

                MOV     r0, #upfsfile_Delete
                BL      IssueUpCall                             ; inform outside world that directory structure changed

--- a/s/FSystem
+++ b/s/FSystem
@@ -251,7 +251,6 @@ RemoveFSystem   Entry   "r0-r1"
 ; call: IssueUpCall
 ;
 ; in:   r0  = reason code for up call
-;       dr -> device record being modified
 ;
 ; out:  -
 ;
@@ -1548,6 +1547,7 @@ removefileblock Entry   "r0-r5, dr, pr"                         ; attempt to zap
                Debug   close,"broadcast UpCall_StreamClosed"

                Unlink  FilesAt, file, fr, r3, r4               ; unlink and free the file object (ignore errors)
+                Free    fr

                TST     r5, #ff_FileForTX                       ; is it a TX file
                ADDEQ   r0, pr, #parent_UsedInputs

--- a/s/Macros
+++ b/s/Macros
@@ -58,9 +58,7 @@ $label          LDR     $temp, $parent
 ;
 ; Unlink blocks from the internal link list structure.
 ;
-; r0, r2 and next, previous corrupt.
-;
-; r0 may point at an error block if V set.
+; next, previous and flags corrupt.
 ;
                MACRO
 $label          Unlink  $parent, $linkname, $pointer, $next, $previous
@@ -81,9 +79,26 @@ $label
                TEQ     $next, #0                               ; did I have a following block?
                STRNE   $previous, [$next, #$linkname._Previous]

+                MEND
+
+; +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+
+
+
+; +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+;
+; Frees blocks previously claimed from RMA.
+;
+; r0, r2 corrupt.
+;
+; r0 may point at an error block if V set.
+;
+                MACRO
+                Free    $pointer
                MOV     r0, #ModHandReason_Free
              [ "$pointer"<>"r2"
-                !       0, "unlink: unlink having to move record pointer from $pointer to r2"
+                !       0, "free: free having to move record pointer from $pointer to r2"
                MOV     r2, $pointer                            ; ensure -> block is in r2
              ]
                SWI     XOS_Module                              ; and free the block