Bug#630485: msort: "Segmentation fault", error code 139

Fri, 17 Jun 2011 20:35:34 -0700 

Hi!

On Fri, Jun 17, 2011 at 12:47 AM, A. Costa <agco...@gis.net> wrote:
> To narrow down the trigger of the error, I whittled away at that 'lsmod'
> output, then substituted various chars.  So far the smallest input
> which reproduces the segfault is only 5 characters long:
>
>        % echo "aa a" | msort --quiet -l -t '.' ; echo $?
>        Segmentation fault
>        139

By recompiling and running msort inside gdb I was able to get a backtrace:

#0  0xb7e8330b in wcscpy () from /lib/i686/cmov/libc.so.6
#1  0x08050f12 in FillDynamicString (tgt=0xbffff4dc, src=0xfffffffc
<Address 0xfffffffc out of bounds>) at dstr.c:88
#2  0x08057def in GetKeys (recptr=0x806bf00, info=0x806a860, keys=1,
MaxInInput=97 L'a', FirstRecordP=1) at msort.c:4212
#3  0x0805a0a2 in main (ac=5, av=0xbffff724) at msort.c:1776

It's triggerd by this line:
4212          if(FillDynamicString(&TempKey,Key) == ERROR) {

That calls FillDynamicString with TempKey in this state:
{s = 0x0, c = 0, l = 0}
And Key in this state:
0x806bf40 L""

The code of FillDynamicString says:

int
FillDynamicString(struct dstr *tgt, wchar_t *src) {
  int length;
  length = wcslen(src);
#ifdef SAFECALL
  if(length == 0) return(ERROR);
#endif
  if (length > tgt->c) {
    if(tgt->s != NULL) free( (void *) tgt->s);
    tgt->s = (wchar_t *) malloc((length + 1) * sizeof(wchar_t));
    if(tgt->s == NULL) return(ERROR);
    tgt->c = length;
  }
  wcscpy(tgt->s,src);
  tgt->l = length;
  return(SUCCESS);
}

So, from what I gather, the problem is that if the length of the
string is 0, but it still has 1 character, the \0 char (as the malloc
code after it knows), but the > symbol doesn't take that into account.

So, it should be:

int
FillDynamicString(struct dstr *tgt, wchar_t *src) {
  int length;
  length = wcslen(src);
#ifdef SAFECALL
  if(length == 0) return(ERROR);
#endif
  if (length+1 > tgt->c) {
    if(tgt->s != NULL) free( (void *) tgt->s);
    tgt->s = (wchar_t *) malloc((length + 1) * sizeof(wchar_t));
    if(tgt->s == NULL) return(ERROR);
    tgt->c = length;
  }
  wcscpy(tgt->s,src);
  tgt->l = length;
  return(SUCCESS);
}

Changing this code and rebuilding led to no SegFault.

--
Love,
Marga



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to