| Summary: | rarian-sk-prein cores on Solaris Nevada x86 | ||
|---|---|---|---|
| Product: | Rarian | Reporter: | Damien Carbery <damien.carbery> |
| Component: | General | Assignee: | Don Scorgie <Don> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | critical | ||
| Priority: | medium | CC: | ghee.teo |
| Version: | unspecified | ||
| Hardware: | x86 (IA32) | ||
| OS: | Solaris | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Bug Depends on: | 12247 | ||
| Bug Blocks: | |||
| Attachments: | test program | ||
|
Description
Damien Carbery
2007-08-18 08:15:07 UTC
demingled stack trace, (dbx) where =>[1] realfree(0x8073840), at 0xfeef8b54 [2] _malloc_unlocked(0x30, 0x8047a28, 0x804793c, 0xfee7bfac, 0x8047770, 0xfee678af), at 0xfeef8734 [3] malloc(0x2c, 0x8060441, 0x3f, 0xfee6788a), at 0xfeef8553 [4] operator new(0x2c), at 0xfee678af [5] TiXmlNode::Identify(0x80478f8, 0x8074817, 0x1), at 0x805ea20 [6] TiXmlDocument::Parse(0x80478f8, 0x8074817, 0x0, 0x1), at 0x805e5b5 [7] TiXmlDocument::LoadFile(0x80478f8, 0x80731f8, 0x1), at 0x805a9b9 [8] TiXmlDocument::LoadFile(0x80478f8, 0x80741e8, 0x1), at 0x805a612 [9] TiXmlDocument::LoadFile(0x80478f8, 0x1), at 0x805a4ae [10] main(0x4, 0x8047980, 0x8047994), at 0x805755d seems like a double free. Created attachment 11183 [details]
test program
I found that rarian-sk-preinstall crashes when the first prarameter is exactly
42 characters long regardless of whether the file is valid or not. For example,
rarian-sk-preinstall /12345/12345/12345/12345/12345/12345/12345 <attachedfile> <outputfile>
Wonder if you can try out if this is the case on Linux, please.
The crash happened here,
> dbx /usr/bin/rarian-sk-preinstall
For information about new features see `help changes'
To remove this message, put `dbxenv suppress_startup_message 7.5' in your .dbxrc
Reading rarian-sk-preinstall
Reading ld.so.1
Reading librarian.so.0.0.0
Reading libCstd.so.1
Reading libCrun.so.1
Reading libm.so.2
Reading libc.so.1
(dbx) run /12345/12345/12345/12345/12345/12345/12345 fsexam-es.omf ttty2
Running: rarian-sk-preinstall /12345/12345/12345/12345/12345/12345/12345 fsexam-es.omf ttty2
(process id 11308)
signal SEGV (no mapping at the fault address) in t_splay at 0xfec88f7a
0xfec88f7a: t_splay+0x0022: movl 0x00000008(%ebx),%ecx
Current function is TiXmlBase::StringToBuffer::StringToBuffer
130 buffer = new char[ str.length()+1 ];
(dbx) where
[1] t_splay(0x8093150), at 0xfec88f7a
[2] t_delete(0x8093150), at 0xfec88e55
[3] realfree(0x8093058), at 0xfec88b6c
[4] _malloc_unlocked(0x600), at 0xfec88734
[5] _smalloc(0x10), at 0xfec884e3
[6] _malloc_unlocked(0x10, 0x8047c4c, 0x8047b94, 0xfedbbfac, 0xfed90618, 0x8047ac4), at 0xfec88754
[7] malloc(0xe, 0xfefc8c24, 0xfeffcd08, 0xfeda788a), at 0xfec88553
[8] operator new(0xe, 0xfeffa7d0, 0x8047ac8, 0xfeda6c24, 0xfeffa7d0), at 0xfeda78af
[9] operator new[](0xe), at 0xfeda6c36
=>[10] TiXmlBase::StringToBuffer::StringToBuffer(this = 0x8047b24, str = CLASS), line 130 in "tinyxml.cpp"
[11] TiXmlDocument::LoadFile(this = 0x8047b58, encoding = TIXML_ENCODING_UTF8), line 984 in "tinyxml.cpp"
[12] main(argc = 4, argv = 0x8047bd8), line 125 in "rarian-sk-preinstall.cpp"
Found the problem with the right tool :)
In line 99 and 103 of rarian-sk-preinstall.cpp,
Allocation of memory is made to do
new_url = (char *) malloc (sizeof(char) * (strlen (input) + 6));
where 6 is allowed for 'file:/' which is correct. However, in the
next line,
sprintf (new_url, "file:/%s", input);
which handle new_url as a NULL terminated string and so padded a '\0'
which was not allocated and hence causea a write unallocated memory
subsequently.
so the patch to fix the problem is simply
--- rarian-sk-preinstall.cpp.orig 2007-08-23 13:06:57.429793000 +0100
+++ rarian-sk-preinstall.cpp 2007-08-23 12:37:45.823579000 +0100
@@ -96,11 +96,11 @@
}
if (i == 1) {
/* Normal path. Add file:/ to the start */
- new_url = (char *) malloc (sizeof(char) * (strlen (input) + 6));
+ new_url = (char *) malloc (sizeof(char) * (strlen (input) + 7));
sprintf (new_url, "file:/%s", input);
} else {
/* Don't know what to do. Just copy and append file: to it */
- new_url = (char *) malloc (sizeof(char) * (strlen(input) + 5));
+ new_url = (char *) malloc (sizeof(char) * (strlen(input) + 6));
sprintf (new_url, "file:%s", input);
}
}
Don, can you apply this please on svn?
Thanks :)
Thanks. I've got the fix in my (personal) tree however am having trouble committing to SVN. I will get this done ASAP. (Leaving as new until committed) Fixed in 0.6.0. Not committed to SVN due to bug #12247. Marking this as a dependance to remind me to commit when done. Committed. Closing. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.