From owner-freebsd-ports-bugs@FreeBSD.ORG Tue Oct 11 16:10:17 2005 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C205116A443 for ; Tue, 11 Oct 2005 16:10:17 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 55F6D43D5D for ; Tue, 11 Oct 2005 16:10:16 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j9BGAGIl020130 for ; Tue, 11 Oct 2005 16:10:16 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j9BGAGc1020129; Tue, 11 Oct 2005 16:10:16 GMT (envelope-from gnats) Resent-Date: Tue, 11 Oct 2005 16:10:16 GMT Resent-Message-Id: <200510111610.j9BGAGc1020129@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, vd@datamax.bg Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E25A16A443; Tue, 11 Oct 2005 16:09:38 +0000 (GMT) (envelope-from vd@datamax.bg) Received: from jengal.datamax.bg (jengal.datamax.bg [82.103.104.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4AE743D45; Tue, 11 Oct 2005 16:09:37 +0000 (GMT) (envelope-from vd@datamax.bg) Received: from qlovarnika.bg.datamax (qlovarnika.bg.datamax [192.168.10.2]) by jengal.datamax.bg (Postfix) with SMTP id 1B4B1B83E; Tue, 11 Oct 2005 19:09:33 +0300 (EEST) Received: (nullmailer pid 87549 invoked by uid 1002); Tue, 11 Oct 2005 16:09:33 -0000 Message-Id: <20051011160932.GA87477@qlovarnika.bg.datamax> Date: Tue, 11 Oct 2005 19:09:32 +0300 From: Vasil Dimov To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: mnag@FreeBSD.org Subject: ports/87260: devel/str uses the same va_list ap twice causing segfault X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vd@datamax.bg List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2005 16:10:17 -0000 >Number: 87260 >Category: ports >Synopsis: devel/str uses the same va_list ap twice causing segfault >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Oct 11 16:10:15 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Vasil Dimov >Release: FreeBSD 6.0-RC1 amd64 >Organization: DataMax >Environment: System: FreeBSD qlovarnika.bg.datamax 6.0-RC1 FreeBSD 6.0-RC1 #0: Mon Oct 10 17:41:04 EEST 2005 root@qlovarnika.bg.datamax:/usr/obj/usr/src/sys/QLOVARNIKA amd64 >Description: I discovered the following bug in devel/str port on my brand new architecture (amd64): * String Parsing test in `make check' fails * Example code from str(3) "Substitute Text in a String" the one with str_parse(var, "s/^(.+?):(.+)$/$1-%s-$2/", &new, subst); causes signal 11 to be delivered Here is the backtrace of the above str_parse() call: Program received signal SIGSEGV, Segmentation fault. 0x000000080063fe84 in str_len ( s=0xffffffff804617d0 ) at str_basic.c:43 43 while (*t++ != NUL) #0 0x000000080063fe84 in str_len ( s=0xffffffff804617d0 ) at str_basic.c:43 #1 0x00000008006447a2 in str_vformat (vbuff=0x7fffffffe6f0, fmt=0x7fffffffe7d7 "s-%{2}R", ap=0x7fffffffe920) at str_format.c:886 #2 0x0000000800642b25 in str_parse_va (string=0x400a0c "foo:bar", pattern=0x400a19 "s/^(.+?):(.+)$/$1-%s-$2/", ap=0x7fffffffe920) at str_parse.c:588 #3 0x0000000800641cb7 in str_parse (string=0x400a0c "foo:bar", pattern=0x400a19 "s/^(.+?):(.+)$/$1-%s-$2/") at str_parse.c:268 #4 0x0000000000400942 in main (argc=1, argv=0x7fffffffeaa0) at tmp.c:29 the problem is that `ap' is used twice: on str_parse.c:567 and str_parse.c:588, the first usage "exhausts" it and makes it unusable (the actual exhaustion with va_arg is done in str_vformat() in str_format.c). The bug reveals itself only on amd64, it waits in ambush on i386. >How-To-Repeat: # uname -m amd64 /usr/ports/devel/str# make check >Fix: --- str-ap.diff begins here --- diff -urN --exclude=CVS --exclude=README.html str/Makefile /usr/ports/devel/str/Makefile --- str/Makefile Tue Oct 4 08:21:23 2005 +++ /usr/ports/devel/str/Makefile Tue Oct 11 18:00:16 2005 @@ -7,6 +7,7 @@ PORTNAME= str PORTVERSION= 0.9.11 +PORTREVISION= 1 CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_OSSP} MASTER_SITE_SUBDIR= lib/${PORTNAME} diff -urN --exclude=CVS --exclude=README.html str/files/patch-str_parse.c.diff /usr/ports/devel/str/files/patch-str_parse.c.diff --- str/files/patch-str_parse.c.diff Thu Jan 1 02:00:00 1970 +++ /usr/ports/devel/str/files/patch-str_parse.c.diff Tue Oct 11 17:56:44 2005 @@ -0,0 +1,14 @@ +--- str_parse.c.orig Tue Oct 11 17:44:45 2005 ++++ str_parse.c Tue Oct 11 17:49:35 2005 +@@ -564,7 +564,10 @@ + sf.data[3].p = (char *)string; + sf.data[4].p = cap_vec; + sf.data[5].i = cap_num; +- l = str_vformat(&sf, buf_ptr, ap); ++ /* we shall need `ap' untouched later */ ++ va_list ap_temp; ++ va_copy(ap_temp, ap); ++ l = str_vformat(&sf, buf_ptr, ap_temp); + + /* allocate output buffer */ + if ((*cpp = (char *)malloc(l+1)) == NULL) { --- str-ap.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted: