[Mono-bugs] [Bug 82019][Nor] New - free(): invalid pointer in DeflateStream

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Thu Jul 5 17:00:46 EDT 2007

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by jason.madden at riskmetrics.com.


--- shadow/82019	2007-07-05 17:00:46.000000000 -0400
+++ shadow/82019.tmp.13917	2007-07-05 17:00:46.000000000 -0400
@@ -0,0 +1,40 @@
+Bug#: 82019
+Product: Mono: Class Libraries
+Version: 1.2
+OS Details: Linux
+Status: NEW   
+Priority: Normal
+Component: System
+AssignedTo: mono-bugs at ximian.com                            
+ReportedBy: jason.madden at riskmetrics.com               
+QAContact: mono-bugs at ximian.com
+TargetMilestone: ---
+Summary: free(): invalid pointer in DeflateStream
+Description of Problem:
+Closing a DeflateStream can result in an invalid free because the z_stream
+pointer passed to native code isn't valid. The reason is that the
+free_z_stream function in zlib_macros.c is defined to take two params
+("free_z_stream(z_stream *z, int compress)"), but DeflateStream.cs only
+passes in one ("free_z_stream(IntPtr z_stream)"). When free_z_stream()
+tries to access that first parameter, it gets junk from the stack instead.
+I suspect this probably only manifests in some configurations and
+architectures, depending on compile-time flags. It occurs for me with Mono
+1.2.4, zlib 1.2.3, and glibc 2.5 on x86, all compiled with -O3.
+Patch attached.
+*** glibc detected *** /usr/bin/mono: free(): invalid pointer: 0x00007fff ***
+ at (wrapper managed-to-native)
+System.IO.Compression.DeflateStream.free_z_stream (intptr) <0x00004>
+  at (wrapper managed-to-native)
+System.IO.Compression.DeflateStream.free_z_stream (intptr) <0xffffffff>
+  at System.IO.Compression.DeflateStream.DisposeCore ()

More information about the mono-bugs mailing list