search

mate-desktop / mate-calc

Calculator for MATE
http://www.mate-desktop.org
GNU General Public License v2.0
39 stars 33 forks source link

Expressions like e²3 crashes mate-calc #213

Open Euriatol opened 1 year ago

Euriatol commented 1 year ago

Expected behaviour

e²3 should be an invalid expression

Actual behaviour

mate-calc crashes:

free(): invalid pointer
Abandon (core dumped)

Steps to reproduce the behaviour

Enter any variable name followed by a number in superscript and another number. Press enter. Note that the variable must exist. For example : var¹²³456

MATE general version

$ mate-calc -v
mate-calc 1.26.0

Package version

Package: mate-calc
Version: 1.26.0-1

Linux Distribution

Xubuntu 22.04.1 LTS x86_64

Link to bugreport of your Distribution (requirement)

Bug report

mbkma commented 1 year ago

issue also exists in mate-calc 1.24.1

mbkma commented 1 year ago

The issue is an invalid free happening here: https://github.com/mate-desktop/mate-calc/blob/master/src/parser.c#L223

lukefromdc commented 1 year ago

Confirmed here too

lukefromdc commented 1 year ago

Indeed removing lines 222-223 in parser.c

    if(node->value)
        free(node->value);

stops the crash. Question is are there any conditions where this can cause a memory leak, or is this never a valid free? Not sure what's going on here. How is it the if statement isn't catching this?