Date: Thu, 27 Jun 2002 14:21:18 -0500 (CDT) From: Dan Nelson <dnelson@allantgroup.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/39930: [PATCH] makewhatis crashes on very very long descriptions Message-ID: <200206271921.g5RJLIMi072400@dan.emsphone.com>
next in thread | raw e-mail | index | archive | help
>Number: 39930
>Category: bin
>Synopsis: [PATCH] makewhatis crashes on very very long descriptions
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jun 27 12:30:02 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Dan Nelson
>Release: FreeBSD 5.0-CURRENT i386
>Organization:
The Allant Group
>Environment:
System: FreeBSD dan.emsphone.com 5.0-CURRENT FreeBSD 5.0-CURRENT #170: Thu Jun 20 14:04:13 CDT 2002 dan@dan.emsphone.com:/usr/src/sys/i386/compile/DANSMP i386
>Description:
Makewhatis forgets to update a pointer when resizing an internal
buffer, causing the second resize attempt to fail.
>How-To-Repeat:
Install the qt3 port, which installs the qwidget.3qt manpage, which has
so much text in its NAME section that the whatis entry is 13791 bytes.
Run "makewhatis", see it coredump. It crashes trying to increase the
sbuf from 4096->8912->16384 bytes.
>Fix:
The only change absolutely required is the addition of the sbuf->last
assignment. The other changes were to help debug the problem.
bounds-checking gcc flagged the overlapping strcpy and the while line
generates an invalid pointer during the compare.
Index: makewhatis.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/makewhatis/makewhatis.c,v
retrieving revision 1.6
diff -u -p -r1.6 makewhatis.c
--- makewhatis.c 7 Jun 2002 01:01:08 -0000 1.6
+++ makewhatis.c 27 Jun 2002 18:49:35 -0000
@@ -217,16 +217,19 @@ static void
sbuf_need(struct sbuf *sbuf, int nchars)
{
/* let's assume we only need to double it, but check just in case */
- while (sbuf->end + nchars > sbuf->last) {
+ while (sbuf->last - sbuf->end < nchars) {
int alloc;
char *new_content;
alloc = (sbuf->last - sbuf->content + 1) * 2;
new_content = (char *) malloc(alloc);
+ if (new_content == NULL)
+ err(1, "sbuf_need malloc");
memcpy(new_content, sbuf->content, sbuf->end - sbuf->content);
sbuf->end = new_content + (sbuf->end - sbuf->content);
free(sbuf->content);
sbuf->content = new_content;
+ sbuf->last = sbuf->content + alloc - 1;
}
}
@@ -616,7 +619,7 @@ process_mdoc_line(char *line)
next = strchr(next, '"');
if (next == NULL)
break;
- strcpy(next, &next[1]);
+ memmove(next, next+1, strlen(next));
line_end--;
if (*next != '"')
break;
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206271921.g5RJLIMi072400>