Date: Tue, 11 Oct 2005 19:09:32 +0300 From: Vasil Dimov <vd@datamax.bg> To: FreeBSD-gnats-submit@FreeBSD.org Cc: mnag@FreeBSD.org Subject: ports/87260: devel/str uses the same va_list ap twice causing segfault Message-ID: <20051011160932.GA87477@qlovarnika.bg.datamax> Resent-Message-ID: <200510111610.j9BGAGc1020129@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 87260
>Category: ports
>Synopsis: devel/str uses the same va_list ap twice causing segfault
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Oct 11 16:10:15 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Vasil Dimov
>Release: FreeBSD 6.0-RC1 amd64
>Organization:
DataMax
>Environment:
System: FreeBSD qlovarnika.bg.datamax 6.0-RC1 FreeBSD 6.0-RC1 #0: Mon Oct 10 17:41:04 EEST 2005 root@qlovarnika.bg.datamax:/usr/obj/usr/src/sys/QLOVARNIKA amd64
>Description:
I discovered the following bug in devel/str port on my brand new
architecture (amd64):
* String Parsing test in `make check' fails
* Example code from str(3) "Substitute Text in a String"
the one with str_parse(var, "s/^(.+?):(.+)$/$1-%s-$2/", &new, subst);
causes signal 11 to be delivered
Here is the backtrace of the above str_parse() call:
Program received signal SIGSEGV, Segmentation fault.
0x000000080063fe84 in str_len (
s=0xffffffff804617d0 <Error reading address 0xffffffff804617d0: Bad address>) at str_basic.c:43
43 while (*t++ != NUL)
#0 0x000000080063fe84 in str_len (
s=0xffffffff804617d0 <Error reading address 0xffffffff804617d0: Bad address>) at str_basic.c:43
#1 0x00000008006447a2 in str_vformat (vbuff=0x7fffffffe6f0,
fmt=0x7fffffffe7d7 "s-%{2}R", ap=0x7fffffffe920) at str_format.c:886
#2 0x0000000800642b25 in str_parse_va (string=0x400a0c "foo:bar",
pattern=0x400a19 "s/^(.+?):(.+)$/$1-%s-$2/", ap=0x7fffffffe920)
at str_parse.c:588
#3 0x0000000800641cb7 in str_parse (string=0x400a0c "foo:bar",
pattern=0x400a19 "s/^(.+?):(.+)$/$1-%s-$2/") at str_parse.c:268
#4 0x0000000000400942 in main (argc=1, argv=0x7fffffffeaa0) at tmp.c:29
the problem is that `ap' is used twice:
on str_parse.c:567 and str_parse.c:588, the first usage "exhausts" it
and makes it unusable (the actual exhaustion with va_arg is done in
str_vformat() in str_format.c).
The bug reveals itself only on amd64, it waits in ambush on i386.
>How-To-Repeat:
# uname -m
amd64
/usr/ports/devel/str# make check
>Fix:
--- str-ap.diff begins here ---
diff -urN --exclude=CVS --exclude=README.html str/Makefile /usr/ports/devel/str/Makefile
--- str/Makefile Tue Oct 4 08:21:23 2005
+++ /usr/ports/devel/str/Makefile Tue Oct 11 18:00:16 2005
@@ -7,6 +7,7 @@
PORTNAME= str
PORTVERSION= 0.9.11
+PORTREVISION= 1
CATEGORIES= devel
MASTER_SITES= ${MASTER_SITE_OSSP}
MASTER_SITE_SUBDIR= lib/${PORTNAME}
diff -urN --exclude=CVS --exclude=README.html str/files/patch-str_parse.c.diff /usr/ports/devel/str/files/patch-str_parse.c.diff
--- str/files/patch-str_parse.c.diff Thu Jan 1 02:00:00 1970
+++ /usr/ports/devel/str/files/patch-str_parse.c.diff Tue Oct 11 17:56:44 2005
@@ -0,0 +1,14 @@
+--- str_parse.c.orig Tue Oct 11 17:44:45 2005
++++ str_parse.c Tue Oct 11 17:49:35 2005
+@@ -564,7 +564,10 @@
+ sf.data[3].p = (char *)string;
+ sf.data[4].p = cap_vec;
+ sf.data[5].i = cap_num;
+- l = str_vformat(&sf, buf_ptr, ap);
++ /* we shall need `ap' untouched later */
++ va_list ap_temp;
++ va_copy(ap_temp, ap);
++ l = str_vformat(&sf, buf_ptr, ap_temp);
+
+ /* allocate output buffer */
+ if ((*cpp = (char *)malloc(l+1)) == NULL) {
--- str-ap.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051011160932.GA87477>