Debug CRT writes to a freed block when _CrtSetDbgFlag(_CRTDBG_LEAK_CHECK_DF) is used - by Vladimir2013

Status : 

  Duplicate<br /><br />
		This item appears to be a duplicate of another existing Connect or internal item.<br /><br />
		A more detailed explanation for the resolution of this particular item may have been provided in the comments section.


1
0
Sign in
to vote
ID 780768 Comments
Status Closed Workarounds
Type Bug Repros 0
Opened 3/6/2013 2:06:50 AM
Access Restriction Public

Description

When DLL with statically linked debug CRT,  which called _CrtSetDbgFlag(_CRTDBG_LEAK_CHECK_DF ) exits, CRT code will write to a freed heap block. This will be caught by the page heap or some other heap debugger and potentially can lead to a memory corruption.

The problem is that __freeCrtMemory() from crt0dat.c will be called twice (stack traces attached) and it will 2 times decrese the reference for __ptmbcinfo (line 495):

if (InterlockedDecrement(&(__ptmbcinfo->refcount)) == 0 && __ptmbcinfo != &__initialmbcinfo)
    {
        _free_crt(__ptmbcinfo);
        __ptmbcinfo = &__initialmbcinfo;
    }

This structure was allocated at mbctype.cpp:600 and it has recount 2 since it is also stored in _getptd() data.


Sign in to post a comment.
Posted by Microsoft on 3/11/2013 at 4:01 PM
Hello,

Thank you for reporting this bug. This issue was first reported to us a few months ago (see http://connect.microsoft.com/VisualStudio/feedback/details/773459/dllcrt0-c-corrupts-heap). We have fixed this bug and the fix will be available in the next release of our Visual C++ libraries.

Note: Connect doesn't notify me about comments. If you have any further questions, please feel free to e-mail me.

James McNellis
Visual C++ Libraries
james.mcnellis@microsoft.com

Posted by Microsoft on 3/6/2013 at 9:32 PM
Thanks for your feedback.

We are rerouting this issue to the appropriate group within the Visual Studio Product Team for triage and resolution. These specialized experts will follow-up with your issue.
Posted by Microsoft on 3/6/2013 at 2:49 AM
Thank you for your feedback, we are currently reviewing the issue you have submitted. If this issue is urgent, please contact support directly(http://support.microsoft.com)