From owner-freebsd-bugs Thu Jun 27 12:30:29 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id B5D2C37B406 for ; Thu, 27 Jun 2002 12:30:02 -0700 (PDT) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g5RJU2JU006958 for ; Thu, 27 Jun 2002 12:30:02 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g5RJU2je006957; Thu, 27 Jun 2002 12:30:02 -0700 (PDT) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by hub.freebsd.org (Postfix) with ESMTP id 1B7A037B400 for ; Thu, 27 Jun 2002 12:21:20 -0700 (PDT) Received: (from dan@localhost) by dan.emsphone.com (8.12.5/8.12.5) id g5RJLIMi072400; Thu, 27 Jun 2002 14:21:18 -0500 (CDT) (envelope-from dan) Message-Id: <200206271921.g5RJLIMi072400@dan.emsphone.com> Date: Thu, 27 Jun 2002 14:21:18 -0500 (CDT) From: Dan Nelson Reply-To: Dan Nelson To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: bin/39930: [PATCH] makewhatis crashes on very very long descriptions Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 39930 >Category: bin >Synopsis: [PATCH] makewhatis crashes on very very long descriptions >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jun 27 12:30:02 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Dan Nelson >Release: FreeBSD 5.0-CURRENT i386 >Organization: The Allant Group >Environment: System: FreeBSD dan.emsphone.com 5.0-CURRENT FreeBSD 5.0-CURRENT #170: Thu Jun 20 14:04:13 CDT 2002 dan@dan.emsphone.com:/usr/src/sys/i386/compile/DANSMP i386 >Description: Makewhatis forgets to update a pointer when resizing an internal buffer, causing the second resize attempt to fail. >How-To-Repeat: Install the qt3 port, which installs the qwidget.3qt manpage, which has so much text in its NAME section that the whatis entry is 13791 bytes. Run "makewhatis", see it coredump. It crashes trying to increase the sbuf from 4096->8912->16384 bytes. >Fix: The only change absolutely required is the addition of the sbuf->last assignment. The other changes were to help debug the problem. bounds-checking gcc flagged the overlapping strcpy and the while line generates an invalid pointer during the compare. Index: makewhatis.c =================================================================== RCS file: /home/ncvs/src/usr.bin/makewhatis/makewhatis.c,v retrieving revision 1.6 diff -u -p -r1.6 makewhatis.c --- makewhatis.c 7 Jun 2002 01:01:08 -0000 1.6 +++ makewhatis.c 27 Jun 2002 18:49:35 -0000 @@ -217,16 +217,19 @@ static void sbuf_need(struct sbuf *sbuf, int nchars) { /* let's assume we only need to double it, but check just in case */ - while (sbuf->end + nchars > sbuf->last) { + while (sbuf->last - sbuf->end < nchars) { int alloc; char *new_content; alloc = (sbuf->last - sbuf->content + 1) * 2; new_content = (char *) malloc(alloc); + if (new_content == NULL) + err(1, "sbuf_need malloc"); memcpy(new_content, sbuf->content, sbuf->end - sbuf->content); sbuf->end = new_content + (sbuf->end - sbuf->content); free(sbuf->content); sbuf->content = new_content; + sbuf->last = sbuf->content + alloc - 1; } } @@ -616,7 +619,7 @@ process_mdoc_line(char *line) next = strchr(next, '"'); if (next == NULL) break; - strcpy(next, &next[1]); + memmove(next, next+1, strlen(next)); line_end--; if (*next != '"') break; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message