Failing command: scrollkeeper-preinstall /usr/share/gnome/help/fsexam/de/fsexam.xml ./fsexam-de.omf fsexam-de.omf.out; /bin/bash: line 1: 26272 Segmentation Fault (core dumped) scrollkeeper-preinstall /usr/share/gnome/help/fsexam/de/fsexam.xml ./$file $file.out pkgbuild: make[3]: [omf_timestamp] Error 139 (ignored) $ file core core: ELF 32-bit LSB core file 80386 Version 1, from 'rarian-sk-prein' $ pstack core core 'core' of 19162: scrollkeeper-preinstall /usr/share/gnome/help/fsexam/de/fsexam.xml fse feef8b54 realfree (8073840) + 48 feef8734 _malloc_unlocked (30, 8047c7c, 8047bcc, fee7bfac, 8047a00, fee678af) + 1bc feef8553 malloc (2c, 8060441, 3f, fee6788a) + 37 fee678af __1c2n6FI_pv_ (2c) + 33 0805ea20 __1cJTiXmlNodeIIdentify6MpkcnNTiXmlEncoding__p0_ (8047b88, 8074817, 1) + 1f0 0805e5b5 __1cNTiXmlDocumentFParse6MpkcpnQTiXmlParsingData_nNTiXmlEncoding__2_ (8047b88, 8074817, 0, 1) + 1b5 0805a9b9 __1cNTiXmlDocumentILoadFile6MpnG__FILE_nNTiXmlEncoding__b_ (8047b88, 80731f8, 1) + 359 0805a612 __1cNTiXmlDocumentILoadFile6MpkcnNTiXmlEncoding__b_ (8047b88, 80741e8, 1) + 52 0805a4ae __1cNTiXmlDocumentILoadFile6MnNTiXmlEncoding__b_ (8047b88, 1) + 3e 0805755d main (4, 8047c10, 8047c24) + 8d 080571ba _start (4, 8047ce4, 8047cfc, 8047d27, 8047d35, 0) + 7a Let me know what other information you need to debug this.
demingled stack trace, (dbx) where =>[1] realfree(0x8073840), at 0xfeef8b54 [2] _malloc_unlocked(0x30, 0x8047a28, 0x804793c, 0xfee7bfac, 0x8047770, 0xfee678af), at 0xfeef8734 [3] malloc(0x2c, 0x8060441, 0x3f, 0xfee6788a), at 0xfeef8553 [4] operator new(0x2c), at 0xfee678af [5] TiXmlNode::Identify(0x80478f8, 0x8074817, 0x1), at 0x805ea20 [6] TiXmlDocument::Parse(0x80478f8, 0x8074817, 0x0, 0x1), at 0x805e5b5 [7] TiXmlDocument::LoadFile(0x80478f8, 0x80731f8, 0x1), at 0x805a9b9 [8] TiXmlDocument::LoadFile(0x80478f8, 0x80741e8, 0x1), at 0x805a612 [9] TiXmlDocument::LoadFile(0x80478f8, 0x1), at 0x805a4ae [10] main(0x4, 0x8047980, 0x8047994), at 0x805755d seems like a double free.
Created attachment 11183 [details] test program
I found that rarian-sk-preinstall crashes when the first prarameter is exactly 42 characters long regardless of whether the file is valid or not. For example, rarian-sk-preinstall /12345/12345/12345/12345/12345/12345/12345 <attachedfile> <outputfile> Wonder if you can try out if this is the case on Linux, please. The crash happened here, > dbx /usr/bin/rarian-sk-preinstall For information about new features see `help changes' To remove this message, put `dbxenv suppress_startup_message 7.5' in your .dbxrc Reading rarian-sk-preinstall Reading ld.so.1 Reading librarian.so.0.0.0 Reading libCstd.so.1 Reading libCrun.so.1 Reading libm.so.2 Reading libc.so.1 (dbx) run /12345/12345/12345/12345/12345/12345/12345 fsexam-es.omf ttty2 Running: rarian-sk-preinstall /12345/12345/12345/12345/12345/12345/12345 fsexam-es.omf ttty2 (process id 11308) signal SEGV (no mapping at the fault address) in t_splay at 0xfec88f7a 0xfec88f7a: t_splay+0x0022: movl 0x00000008(%ebx),%ecx Current function is TiXmlBase::StringToBuffer::StringToBuffer 130 buffer = new char[ str.length()+1 ]; (dbx) where [1] t_splay(0x8093150), at 0xfec88f7a [2] t_delete(0x8093150), at 0xfec88e55 [3] realfree(0x8093058), at 0xfec88b6c [4] _malloc_unlocked(0x600), at 0xfec88734 [5] _smalloc(0x10), at 0xfec884e3 [6] _malloc_unlocked(0x10, 0x8047c4c, 0x8047b94, 0xfedbbfac, 0xfed90618, 0x8047ac4), at 0xfec88754 [7] malloc(0xe, 0xfefc8c24, 0xfeffcd08, 0xfeda788a), at 0xfec88553 [8] operator new(0xe, 0xfeffa7d0, 0x8047ac8, 0xfeda6c24, 0xfeffa7d0), at 0xfeda78af [9] operator new[](0xe), at 0xfeda6c36 =>[10] TiXmlBase::StringToBuffer::StringToBuffer(this = 0x8047b24, str = CLASS), line 130 in "tinyxml.cpp" [11] TiXmlDocument::LoadFile(this = 0x8047b58, encoding = TIXML_ENCODING_UTF8), line 984 in "tinyxml.cpp" [12] main(argc = 4, argv = 0x8047bd8), line 125 in "rarian-sk-preinstall.cpp"
Found the problem with the right tool :) In line 99 and 103 of rarian-sk-preinstall.cpp, Allocation of memory is made to do new_url = (char *) malloc (sizeof(char) * (strlen (input) + 6)); where 6 is allowed for 'file:/' which is correct. However, in the next line, sprintf (new_url, "file:/%s", input); which handle new_url as a NULL terminated string and so padded a '\0' which was not allocated and hence causea a write unallocated memory subsequently. so the patch to fix the problem is simply --- rarian-sk-preinstall.cpp.orig 2007-08-23 13:06:57.429793000 +0100 +++ rarian-sk-preinstall.cpp 2007-08-23 12:37:45.823579000 +0100 @@ -96,11 +96,11 @@ } if (i == 1) { /* Normal path. Add file:/ to the start */ - new_url = (char *) malloc (sizeof(char) * (strlen (input) + 6)); + new_url = (char *) malloc (sizeof(char) * (strlen (input) + 7)); sprintf (new_url, "file:/%s", input); } else { /* Don't know what to do. Just copy and append file: to it */ - new_url = (char *) malloc (sizeof(char) * (strlen(input) + 5)); + new_url = (char *) malloc (sizeof(char) * (strlen(input) + 6)); sprintf (new_url, "file:%s", input); } } Don, can you apply this please on svn? Thanks :)
Thanks. I've got the fix in my (personal) tree however am having trouble committing to SVN. I will get this done ASAP. (Leaving as new until committed)
Fixed in 0.6.0. Not committed to SVN due to bug #12247. Marking this as a dependance to remind me to commit when done.
Committed. Closing.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.