1*d101cdd6SStefan Eßer# Memory Bugs 2*d101cdd6SStefan Eßer 3*d101cdd6SStefan EßerThis is a list of all of the memory bugs that were found in *released* versions 4*d101cdd6SStefan Eßerof `bc`, `dc`, or `bcl`. (Non-released commits with memory bugs do not count.) 5*d101cdd6SStefan Eßer 6*d101cdd6SStefan EßerI made this list for two reasons: first, so users can know what versions of 7*d101cdd6SStefan Eßer`bc`, `dc`, and `bcl` have vulnerabilities, and two, I once had a perfect record 8*d101cdd6SStefan Eßerand then found a couple, but forgot and claimed I still had a perfect record 9*d101cdd6SStefan Eßerright after, which was embarrassing. 10*d101cdd6SStefan Eßer 11*d101cdd6SStefan EßerThis list is sorted by the first version a bug exists in, not the last it 12*d101cdd6SStefan Eßerexisted in. 13*d101cdd6SStefan Eßer 14*d101cdd6SStefan Eßer* In versions `1.1.0` until `6.2.0` (inclusive) of `bc` and `dc`, there is a 15*d101cdd6SStefan Eßer out of bounds read and write in history when pressing ctrl+r (or any other 16*d101cdd6SStefan Eßer unused letter) then inserting two characters. 17*d101cdd6SStefan Eßer 18*d101cdd6SStefan Eßer The first version without this bug is `6.2.1`. 19*d101cdd6SStefan Eßer 20*d101cdd6SStefan Eßer* In versions `3.0.0` until `6.0.1` (inclusive) of `bc` and `dc`, there is a 21*d101cdd6SStefan Eßer double-free on `SIGINT` when using command-line expressions with `-e` and 22*d101cdd6SStefan Eßer `-f`. This was caused by not properly ending a jump series. 23*d101cdd6SStefan Eßer 24*d101cdd6SStefan Eßer The first version without this bug is `6.0.2`. 25*d101cdd6SStefan Eßer 26*d101cdd6SStefan Eßer* In versions `5.0.0` until `6.0.4` (inclusive) of `bc`, there is an 27*d101cdd6SStefan Eßer out-of-bounds access if a non-local (non-`auto`) variable is set to a string 28*d101cdd6SStefan Eßer with `asciify()`, then the function is redefined with a use of the same 29*d101cdd6SStefan Eßer non-local variable. 30*d101cdd6SStefan Eßer 31*d101cdd6SStefan Eßer This happened because strings were stored per-function, and the non-local 32*d101cdd6SStefan Eßer variable now had a reference to the string in the old function, which could be 33*d101cdd6SStefan Eßer at a higher index than exists in the new function. Strings are stored globally 34*d101cdd6SStefan Eßer now, and they are *not* freed once not used. 35*d101cdd6SStefan Eßer 36*d101cdd6SStefan Eßer The first version without this bug is `6.1.0`. 37*d101cdd6SStefan Eßer 38*d101cdd6SStefan Eßer* In versions `5.0.0` until `6.0.4` (inclusive) of `bc`, there is another 39*d101cdd6SStefan Eßer out-of-bounds access if an array is passed to the `asciify()` built-in 40*d101cdd6SStefan Eßer function as the only argument. This happened because arrays are allowed as 41*d101cdd6SStefan Eßer function arguments, which allowed them to be used as arguments to `asciify()`, 42*d101cdd6SStefan Eßer but they should not have been allowed. However, since they were, the 43*d101cdd6SStefan Eßer `asciify()` code tried to access an argument that was not there. 44*d101cdd6SStefan Eßer 45*d101cdd6SStefan Eßer The first version without this bug is `6.1.0`. 46*d101cdd6SStefan Eßer 47*d101cdd6SStefan Eßer* In version `6.0.0` of `bcl`, there are several uses of initialized data that 48*d101cdd6SStefan Eßer have the same root cause: I forgot to call `memset()` on the per-thread global 49*d101cdd6SStefan Eßer data. This is because the data used to be *actually* global, which meant that 50*d101cdd6SStefan Eßer it was initialized to zero by the system. This happened because I thought I 51*d101cdd6SStefan Eßer had properly hooked Valgrind into my `bcl` tests, but I had not. 52*d101cdd6SStefan Eßer 53*d101cdd6SStefan Eßer The first version without this bug is `6.0.1`. 54