Bug#926658: gnuplot: free(): double free detected in tcache 2

Niels Thykier niels at thykier.net
Mon Apr 8 18:56:26 BST 2019 

Source: gnuplot
Version: 5.2.6+dfsg1-1
Severity: important

Hi,

After upgrading lindsay.d.o to buster, we see errors when trying to
generate graphs of the tags.  While trying to create a minimal
reproducer I tripped a double free bug in gnuplot.

The following steps were done to reproduce the issue:

"""
$ unzip test-files.zip
$ cd test-files
test-files$ gdb -args gnuplot call.gp
[...]
(gdb) run
Starting program: /usr/bin/gnuplot call.gpi
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Plotting $tag statistics...
"./tags.gpi" line 27: undefined variable: date_min

free(): double free detected in tcache 2

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff78c6535 in __GI_abort () at abort.c:79
#2  0x00007ffff791d778 in __libc_message (action=action at entry=do_abort, fmt=fmt at entry=0x7ffff7a2828d "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff7923e6a in malloc_printerr (str=str at entry=0x7ffff7a29f58 "free(): double free detected in tcache 2") at malloc.c:5341
#4  0x00007ffff792594d in _int_free (av=0x7ffff7a5fc40 <main_arena>, p=0x5555556eb250, have_lock=<optimized out>) at malloc.c:4193
#5  0x000055555558d71d in gpfree_string (a=0x5555556e9828) at .././../../src/eval.c:423
#6  0x000055555558dbcb in gpfree_string (a=<optimized out>) at .././../../src/eval.c:422
#7  gpfree_array (a=a at entry=0x5555556e9860) at .././../../src/eval.c:446
#8  0x00005555555be5a7 in lf_pop () at .././../../src/misc.c:515
#9  0x00005555555bebad in load_file_error () at .././../../src/misc.c:626
#10 0x000055555556e8e5 in main (argc=2, argv=0x7fffffffe178) at .././../../src/plot.c:555
(gdb) quit
"""

Note: The test files *are* invalid - the common.gpi file should define
some variables but it does not (e.g. date_min).  Nonetheless, gnuplot
should not trip a double-free regardless of whether the input is valid
or not.

Relevant versions of gnuplot used for reproducing this:

"""
$ dpkg -l | grep gnuplot
ii  gnuplot-data                         5.2.6+dfsg1-1                       all          Command-line driven interactive plotting program. Data-files
ii  gnuplot-nox                          5.2.6+dfsg1-1                       amd64        Command-line driven interactive plotting program. No-X package
ii  gnuplot-nox-dbgsym                   5.2.6+dfsg1-1                       amd64        debug symbols for gnuplot-nox
"""

Thanks,
~Niels

More information about the debian-science-maintainers mailing list