Snapshots for CURRENT

Julien ÉLIE julien at trigofacile.com
Fri Aug 10 07:44:53 UTC 2007


En réponse à Russ Allbery :
>> By the way, I have for innd/artparse.t:
>
>> ==9259== Invalid write of size 1
>> ==9259==    at 0x805257F: ARTsetup (art.c:287)
>> ==9259==    by 0x8051628: initialize (artparse-t.c:98)
>> ==9259==    by 0x8051A19: main (artparse-t.c:175)
>> ==9259==  Address 0x42DF927 is 1 bytes before a block of size 1 alloc'd
>> ==9259==    at 0x401D38B: malloc (vg_replace_malloc.c:149)
>> ==9259==    by 0x80A296A: x_strdup (xmalloc.c:128)
>> ==9259==    by 0x8052569: ARTsetup (art.c:286)
>> ==9259==    by 0x8051628: initialize (artparse-t.c:98)
>> ==9259==    by 0x8051A19: main (artparse-t.c:175)
>
> I haven't looked at that in detail yet, but that definitely looks like a
> bug.


I do not understand why it happens.
It is here:

ARTsetup(void)
{
  /* Get our Path name, kill trailing !. */
  ARTpathme = xstrdup(Path.data);
  ARTpathme[Path.used - 1] = '\0';

And it should come from:

    Path.used = strlen(innconf->pathhost) + 1;
    Path.size = Path.used + 1;
    Path.data = xmalloc(Path.size);
    snprintf(Path.data, Path.size, "%s!", innconf->pathhost);



286       ARTpathme = xstrdup(Path.data);
(gdb) print ARTpathme
$3 = 0x0
(gdb) print Path
$4 = {size = 1024, used = 0, left = 1, data = 0x80d00a0 ""}
(gdb) print *Path.data
$5 = 0 '\0'
(gdb) next
287       ARTpathme[Path.used - 1] = '\0';
(gdb) print *ARTpathme
$6 = 0 '\0'

And then, there is an illegal write since Path.used = 0.


I do not know why Path.size = 1024 while Path.used = 0...
And I even try to add a pathhost: line in tests/data/etc/inn.conf;
nothing is seen (Path.data is still "").

-- 
Julien ÉLIE

« -- On nage dans le lac, on escalade les montagnes...
  -- Ben quoi ? Nous ne sommes pas en vacances ! » (Astérix) 



More information about the inn-workers mailing list