Cygwin: posix timers: allocate timer_tracker on system heap.

Allocating on the cygheap would copy information of the tracker into
the child process.  A forked child knows the timer id and could simply
still access the (free'd but still valid) timer_tracker on the heap,
which is dangerous and very certainly doesn't reflect POSIX semantics.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>

winsup/cygwin/cygheap_malloc.h

@@ -34,8 +34,7 @@ enum cygheap_types
   HEAP_2_DLL,
   HEAP_MMAP,
   HEAP_2_MAX = 200,
-  HEAP_3_FHANDLER,
-  HEAP_3_TIMER
+  HEAP_3_FHANDLER
 };
 
 extern "C" {

winsup/cygwin/posix_timer.cc

@@ -414,10 +414,11 @@ timer_tracker::settime (int flags, const itimerspec *new_value,
   return ret;
 }
 
-/* The timers are stored on the cygheap. */
+/* The timers are stored on the system heap in order to avoid accidental
+   leaking of timer ids into the child process. */
 #define cnew(name, ...) \
   ({ \
-    void* ptr = (void*) ccalloc (HEAP_3_TIMER, 1, sizeof (name)); \
+    void* ptr = (void*) HeapAlloc (GetProcessHeap (), 0, sizeof (name)); \
     ptr ? new (ptr) name (__VA_ARGS__) : NULL; \
   })
 

winsup/cygwin/posix_timer.h

@@ -30,7 +30,7 @@ class timer_tracker
 
  public:
   void *operator new (size_t, void *p) __attribute__ ((nothrow)) {return p;}
-  void operator delete (void *p) { cfree (p); }
+  void operator delete (void *p) { HeapFree (GetProcessHeap (), 0, p); }
   timer_tracker (clockid_t, const sigevent *);
   ~timer_tracker ();
   inline bool is_timer_tracker () const { return magic == TT_MAGIC; }