sort -u: fix a thread-race pointer corruption bug

* src/sort.c (write_unique): Save the entire "struct line", not
just a pointer to one.  Otherwise, with a multi-thread run,
sometimes, with some inputs, fillbuf would would win a race
and clobber a "saved->text" pointer in one thread just before
it was dereferenced in a comparison in another thread.
* NEWS (Bug fixes): Mention it.

diff --git a/NEWS b/NEWS
index 2d3f1f3..79484c1 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,9 @@ GNU coreutils NEWS                                    -*- outline -*-
   od now prints floating-point numbers without losing information, and
   it no longer omits spaces between floating-point columns in some cases.
 
+  sort -u with at least two threads could attempt to read through a
+  corrupted pointer. [bug introduced in coreutils-8.6]
+
 ** New features
 
   split accepts the --number option to generate a specific number of files.

diff --git a/src/sort.c b/src/sort.c
index 7e25f6a..1aa1eb4 100644 (file)
--- a/src/sort.c
+++ b/src/sort.c
@@ -3226,13 +3226,13 @@ queue_pop (struct merge_node_queue *queue)
 static void
 write_unique (struct line const *line, FILE *tfp, char const *temp_output)
 {
-  static struct line const *saved = NULL;
+  static struct line saved;
 
   if (!unique)
     write_line (line, tfp, temp_output);
-  else if (!saved || compare (line, saved))
+  else if (!saved.text || compare (line, &saved))
     {
-      saved = line;
+      saved = *line;
       write_line (line, tfp, temp_output);
     }
 }