From d4c884330c384bbb06f9a0d1fee2d2ae2086521c Mon Sep 17 00:00:00 2001
From: Christopher Ferris <cferris@google.com>
Date: Fri, 5 Feb 2016 11:07:12 -0800
Subject: Fix use of uninitialized memory.

When creating an UnwindMapLocal fails in the Build() function call,
the destructor for UnwindMap is called. Unfortunately, the map_cursor_
member variable has not been initialized, so the call to destroy it
winds up operating on garbage data.

Part of this is a result of a bad class hierarchy, so this refactors
the classes slightly, and properly initializes the map_cursor_ member
variable in the base class.

Bug: 26931578
Change-Id: I885596bf65e4ef63559cee2c56cd41576d5ecc1b
---
 libbacktrace/UnwindMap.cpp | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'libbacktrace/UnwindMap.cpp')

diff --git a/libbacktrace/UnwindMap.cpp b/libbacktrace/UnwindMap.cpp
index 879fea5eb..34d79f970 100644
--- a/libbacktrace/UnwindMap.cpp
+++ b/libbacktrace/UnwindMap.cpp
@@ -33,14 +33,18 @@
 // of maps using the same map cursor.
 //-------------------------------------------------------------------------
 UnwindMap::UnwindMap(pid_t pid) : BacktraceMap(pid) {
+  unw_map_cursor_clear(&map_cursor_);
+}
+
+UnwindMapRemote::UnwindMapRemote(pid_t pid) : UnwindMap(pid) {
 }
 
-UnwindMap::~UnwindMap() {
+UnwindMapRemote::~UnwindMapRemote() {
   unw_map_cursor_destroy(&map_cursor_);
   unw_map_cursor_clear(&map_cursor_);
 }
 
-bool UnwindMap::GenerateMap() {
+bool UnwindMapRemote::GenerateMap() {
   // Use the map_cursor information to construct the BacktraceMap data
   // rather than reparsing /proc/self/maps.
   unw_map_cursor_reset(&map_cursor_);
@@ -63,7 +67,7 @@ bool UnwindMap::GenerateMap() {
   return true;
 }
 
-bool UnwindMap::Build() {
+bool UnwindMapRemote::Build() {
   return (unw_map_cursor_create(&map_cursor_, pid_) == 0) && GenerateMap();
 }
 
@@ -84,6 +88,7 @@ bool UnwindMapLocal::GenerateMap() {
   for (int i = 0; i < 3; i++) {
     maps_.clear();
 
+    // Save the map data retrieved so we can tell if it changes.
     unw_map_local_cursor_get(&map_cursor_);
 
     unw_map_t unw_map;
@@ -142,7 +147,7 @@ BacktraceMap* BacktraceMap::Create(pid_t pid, bool uncached) {
   } else if (pid == getpid()) {
     map = new UnwindMapLocal();
   } else {
-    map = new UnwindMap(pid);
+    map = new UnwindMapRemote(pid);
   }
   if (!map->Build()) {
     delete map;
-- 
cgit v1.2.3