Package: bc
Version: 1.06.95-2+b1
Severity: normal
Tags: patch
more_arrays, more_vars, and more_functions all share very similar code,
but need to loop over different variables (a_count, v_count, f_count).
more_arrays uses a_count. This bug can be demonstrated
non-deterministically most of the time giving a glibc corruption by:
dd if=/dev/urandom bs=4M count=3 | ./bc 2> /dev/null
I was reading a paper (Bug Isolation via Remote Program Sampling (Liblit
et al, PLDI 2003) ) from 2003, saw this bug mentioned in passing, and
tested it on a whim. Since it was trivial to patch I did.
Alex
Dear Maintainer,
*** Please consider answering these questions, where appropriate ***
* What led up to the situation?
* What exactly did you do (or not do) that was effective (or
ineffective)?
* What was the outcome of this action?
* What outcome did you expect instead?
*** End of the template - remove these lines ***
-- System Information:
Debian Release: wheezy/sid
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'),
(500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages bc depends on:
ii dpkg 1.16.2
ii install-info 4.13a.dfsg.1-10
ii libc6 2.13-28
ii libncurses5 5.9-6
ii libreadline6 6.2-8
bc recommends no packages.
bc suggests no packages.
-- no debconf information
diff -r bc-1.06.95/bc/storage.c fixed/bc/storage.c
182c182
< for (; indx < v_count; indx++)
---
> for (; indx < a_count; indx++)
