Cygwin: Fix cygheap corruption caused by cloned atomic buffer

The fhandler_base_overlapped::copyto clears atomic_write_buf on the
clone, but none of the derived classes were doing this.  This allowed
the destructor to double-free the buffer and corrupt cygheap.
Clear atomic_write_buf in copyto of all derived classes.

2 files changed, 5 insertions, 0 deletions

diff --git a/winsup/cygwin/fhandler.h b/winsup/cygwin/fhandler.h
index 2cc99d7..9e63867 100644
--- a/winsup/cygwin/fhandler.h
+++ b/winsup/cygwin/fhandler.h
@@ -1216,6 +1216,7 @@ public:
   {
     x->pc.free_strings ();
     *reinterpret_cast<fhandler_pipe *> (x) = *this;
+    reinterpret_cast<fhandler_pipe *> (x)->atomic_write_buf = NULL;
     x->reset (this);
   }
 
@@ -1256,6 +1257,7 @@ public:
   {
     x->pc.free_strings ();
     *reinterpret_cast<fhandler_fifo *> (x) = *this;
+    reinterpret_cast<fhandler_fifo *> (x)->atomic_write_buf = NULL;
     x->reset (this);
   }
 
diff --git a/winsup/cygwin/release/2.11.2 b/winsup/cygwin/release/2.11.2
index c8d81d4..b9ccc5c 100644
--- a/winsup/cygwin/release/2.11.2
+++ b/winsup/cygwin/release/2.11.2
@@ -11,3 +11,6 @@ Bug Fixes
 
 - Return ESPIPE rather than EINVAL from lseek on a fifo.
   Addresses: https://cygwin.com/ml/cygwin/2018-10/msg00019.html
+
+- Fix a memory corruption when using pipes or FIFOs
+  Addresses: https://cygwin.com/ml/cygwin-patches/2018-q4/msg00000.html