This is the mail archive of the mailing list for the newlib project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[PATCH] Properly initialize dynamically created '_atexit' structures

Hi All,

This patch fixes an issue that occurs when greater than _ATEXIT_SIZE
exit procedures of type '__et_cxa' are registered, small reentrant
structure support is enabled, and dynamic allocation of atexit entries
is enabled.  This bug is fairly easy to run into if you have a C++
program with lots of objects that have static storage duration.  The
control flow where the problem is encountered in '__register_exitproc'
goes like:

   1. 'p->_ind >= _ATEXIT_SIZE' is true and a new '_atexit' structure
      is dynamically allocated and stored in 'p'.

   2. 'p->_on_exit_args_ptr' is *not* set to NULL.

   3. 'type != __et_atexit' is true.

   4. At this point a new '_on_exit_args' structure should be created
      as well, but if 'p->_on_exit_args_ptr' happens to be non-NULL,
      then it isn't and bad things happen later when 'p->_on_exit_args_ptr'
      is used.

The problem is fixed by properly initializing '_on_exit_args_ptr' to


2013-08-16  Meador Inge  <>

	* libc/stdlib/__atexit.c (__register_exitproc): NULL-ify
	'_on_exit_args_ptr' when creating a new '_atexit' structure
	while '_REENT_SMALL' is defined.

diff --git a/newlib/libc/stdlib/__atexit.c b/newlib/libc/stdlib/__atexit.c
index d36a1a4..18edc8c 100644
--- a/newlib/libc/stdlib/__atexit.c
+++ b/newlib/libc/stdlib/__atexit.c
@@ -104,6 +104,8 @@ _DEFUN (__register_exitproc,
 #ifndef _REENT_SMALL
       p->_on_exit_args._fntypes = 0;
       p->_on_exit_args._is_cxa = 0;
+      p->_on_exit_args_ptr = NULL;

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]