Summary: | app-text/recode-3.6 - recode_string() clobbers out-of-bounds memory | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Ken Pizzini <ken> |
Component: | Current packages | Assignee: | Gentoo Shell Tools project <shell-tools> |
Status: | RESOLVED TEST-REQUEST | ||
Severity: | normal | CC: | csy150, jeffames, jmjonesey, vapier, zlynx |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
program which demos the "bad result text" bug in recode_string()
More agressive test program agressive test program, with code fixes |
Description
Ken Pizzini
2004-10-20 04:49:43 UTC
Created attachment 42245 [details]
program which demos the "bad result text" bug in recode_string()
On the recode homepage (http://recode.progiciels-bpi.ca/showfile.html?name=dist/TODO), the first item listed is "Memory leaks: see add_to_sequence, ALLOC, recode_{m,re}alloc}", which I suspect is the cause of this problem (and also occasional segfaults on some architectures). So this may be a known issue upstream.... I discovered another thing in recode that is sort of related to this. fortune was seg-faulting so I fixed it. At least, I fixed the one bit that was seg-faulting for me. It still produces extra output sometimes. When it reallocates memory to make more space for a possible 4-byte terminator, it's off by one. In recode's src/request.c function guarantee_nul_terminator, line 1077, change +4 to +5. When compiling recode with --with-dmalloc (I was going to add this to the recode ebuild for USE=debug but lack of keywords for dmalloc currently prevents this), I noticed that anything that uses recode (confirmed with both recode-bug.c and fortune-mod) and then tries to free the char pointer allocated by recode_string(), will die with a glibc free() invalid pointer message. For example, recode-bug (and fortune too) dies with: abcdefghijklmnopqrst ABCDEFGHIJKLMNOPQRST *** glibc detected *** free(): invalid pointer: 0x0804af00 *** Aborted (core dumped) I'm not really sure why it's considered an invalid pointer, but recode_string() does NOT return NULL. When I compiled recode-bug with dmalloc support (#include <dmalloc.h> and link with -ldmalloc), it works as it should (no remaining PQRS)... go figure. I thought about compiling recode-bug with efence support, but figured that'd probably cause a boat load of problems (mixing efence with the dmalloc support in librecode), but actually it's given me the only clue so far as to the real problem: ElectricFence Aborting: Electric Fence: free(804af00): address not from malloc(). Illegal instruction (core dumped) Unfortunately, I'm not really sure where to go from here :/ I've tried going through the relevant recode source, but have yet to find anything that really sticks out; it's not the easiest code to read (*much* pointer magic) ;p Sorry for interruption. Posted just for convenience. The homepage of app-text/recode-3.6-r1.ebuild is outdated. The current one is: http://recode.progiciels-bpi.ca/ Thanks. i just fixed this since it was breaking fortune-mod update to recode-3.6-r2 and make sure it works for you please Created attachment 69209 [details]
More agressive test program
While the proposed recode_3.6-11.diff.gz patch (gentoo recode-3.6-r2) does
appear to work fine for the simple test case in my first attachment, and so far
I haven't noticed a problem from fortune-mod, this more agressive test program
shows me that recode still has at *least* one more pointer/buffer bug (I
variously get segfaults or a fatal error from glibc).
*** Bug 103593 has been marked as a duplicate of this bug. *** Modifying the title of this bug to be more general; reopening. http://recode.progiciels-bpi.ca/ has some testing 3.6[abc] versions you could try *** Bug 101705 has been marked as a duplicate of this bug. *** *** Bug 68065 has been marked as a duplicate of this bug. *** This bug is 10 years old but whatever. I've just bumped recode to version 3.7. You might consider giving it a try and report back whether you still experience this error. Thanks! Downloaded zip-ball from https://github.com/pinard/Recode [3.7-beta2, plus whatever extra commits might be on HEAD]. Attachment 69209 [details] still trips an error for me (malloc() variously reports either "memory corruption" or "corrupted double-linked list", spews a stack backtrace, and coredumps). A note about attachment 69209 [details]: the printf() on line 55 of test.c is missing an argument. There should be a ``i,'' between the format string and the reference to ``text,''. There also should be a ``#include <string.h>'' at the top. My re-test this afternoon included these two fixes; I'll attach a new version of the code incorporating these two fixes. Created attachment 487884 [details]
agressive test program, with code fixes
|