sort -u: fix a thread-race pointer corruption bug

* src/sort.c (write_unique): Save the entire "struct line", not just a pointer to one. Otherwise, with a multi-thread run, sometimes, with some inputs, fillbuf would would win a race and clobber a "saved->text" pointer in one thread just before it was dereferenced in a comparison in another thread. * NEWS (Bug fixes): Mention it.
2024-11-24 10:23:31 +08:00 · 2010-11-30 22:30:12 +01:00 · 2010-11-30 22:30:12 +01:00 · 3afda5f007
commit 3afda5f007
parent 43d1112d01
2 changed files with 6 additions and 3 deletions
--- a/3
+++ b/3
@ -7,6 +7,9 @@ GNU coreutils NEWS                                    -*- outline -*-
  od now prints floating-point numbers without losing information, and
  it no longer omits spaces between floating-point columns in some cases.

+  sort -u with at least two threads could attempt to read through a
+  corrupted pointer. [bug introduced in coreutils-8.6]
+
 ** New features

  split accepts the --number option to generate a specific number of files.
--- a/src/sort.c
+++ b/src/sort.c
@ -3226,13 +3226,13 @@ queue_pop (struct merge_node_queue *queue)
 static void
 write_unique (struct line const *line, FILE *tfp, char const *temp_output)
 {
-  static struct line const *saved = NULL;
+  static struct line saved;

  if (!unique)
    write_line (line, tfp, temp_output);
-  else if (!saved || compare (line, saved))
+  else if (!saved.text || compare (line, &saved))
    {
-      saved = line;
+      saved = *line;
      write_line (line, tfp, temp_output);
    }
 }