~nabijaczleweli/ossp#192: 
[cfg 0.9.11] cfg_export dumps core on FreeBSD, Darwin

#Upstream Ticket 192 from 2012-11-03 02:06:43

When attempting to evaluate libcfg for a project I'm starting, I ran the test on my FreeBSD 9 and OS X which dumped core. It looks like there's some incorrect usage of va_list variables given that the va_arg() call that initializes s on line 908 of cfg_fmt.c returns invalid memory. I put a va_copy() at the top of cfg_fmt_format(), making a copy of ap, and changed cfg_fmt_format() to operate on that copy. The test then passes. I'm not sure if this is the right solution, but at least the code runs and passes its test.

Status
REPORTED
Submitter
~nabijaczleweli
Assigned to
No-one
Submitted
4 months ago
Updated
4 months ago
Labels
CVSTrac cfg

~nabijaczleweli 4 months ago

#Attached backtrace.txt on 2012-11-03 02:07:52

(gdb) bt full
#0  cfg_fmt_format (vbuff=0x7fffffffd020, fmt=0x80082aa86 "s", ap=0x7fffffffd0f0) at cfg_fmt.c:908
        sp = 0x80102c108 ""
        bep = 0x80102c109 ""
        cc = 0
        i = 0
        s = 0x1 <Address 0x1 out of bounds>
        q = 0x1 <Address 0x1 out of bounds>
        s_len = 1
        min_width = 0
        precision = 0
        adjust = RIGHT
        pad_char = 32 ' '
        prefix_char = 0 '\000'
        fp_num = 1.6980165114969422e-313
        i_quad = 0
        ui_quad = 140737488344368
        i_num = 0
        ui_num = 2177008
        num_buf = "\300\316\377\377\377\177\000\000\000\000\000\000\000\000\000\000\300\240a\000\b\000\000\000\000\316\377\377\377\177\000\000\340\316\377\377\377\177\000\000\000\000\000\000\000\000\000\000\340\316\377\377\377\177\000\000\067\205`\000\b\000\000\000\201\000\b\000\000\000$`\257\001\000\000\000\000\317\001\234\340\b", '\000' <repeats 11 times>, "\001\000\000\000\001\000\000\000\000\304a\000\b\000\000\000\b\255\201\000\b\000\000\000\320\317\377\377\377\177\000\000\200\316\377\377\377\177\000\000\000\304a\000\b\000\000\000@\317\377\377\377\177\000\000@\317\377\377\377\177\000\000\340\316\377\377\377\177\000\000\340\316\377\377\377\177\000\000\201\000\b\000\000\000]\207`\000\b\000\000\000\201\000\b\000\000\000$`\257\001\000\000\000\000\317\001\234\340\b", '\000' <repeats 11 times>, "\001\000\000\000\b\000\000\000\000\304a\000\b\000\000\000\b\255\201\000\b\000\000\000\320\317\377\377\377\177\000\000\200\316\377\377\377\177\000\000\000\304a\000\b\000\000\000\020\317\377\377\377\177\000\000@\317\377\377\377\177\000\000\240\316\377\377\377\177\000\000\357\212`\000\b\000\000\000\000\300"...
        char_buf = "\000"
        var_type = IS_INT
---Type <return> to continue, or q <return> to quit---
        alternate_form = 0
        print_sign = 0
        print_blank = 0
        adjust_precision = 0
        adjust_width = 0
        is_negative = 0
        extinfo = "\000\000\000\000\b\000\000\000e\245K\t\000\000\000\000\b\255\201"
<a href="/~nabijaczleweli/ossp/1" title="~nabijaczleweli/ossp#1: (Ticket number 1 unused on CVSTrac)">#1</a>  0x00000008008243be in cfg_fmt_vsprintf (s=0x80102c108 "", n=2, fmt=0x80082aa85 "%s",
    ap=0x7fffffffd0f0) at cfg_fmt.c:1141
        handle = {curpos = 0x80102c108 "", endpos = 0x80102c109 "",
          flush = 0x8008242b0 <cfg_fmt_flush_real>, format = 0x0, data = {{i = -12288,
              l = 140737488343040, d = 6.9533558072278965e-310, vp = 0x7fffffffd000}, {i = 2, l = 2,
              d = 9.8813129168249309e-324, vp = 0x2}, {i = -12160, l = 140737488343168,
              d = 6.9533558072342205e-310, vp = 0x7fffffffd080}, {i = 8507650, l = 34368246018,
              d = 1.698016966531402e-313, vp = 0x80081d102 <cfg_buf_resize+130>}, {i = 0,
              l = 4294967296, d = 2.1219957909652723e-314, vp = 0x100000000}, {i = 16937024,
              l = 34376675392, d = 1.6984334329423367e-313, vp = 0x801027040}}}
        buf = "0\325\377\377\377\177", '\000' <repeats 13 times>
        rv = 1
<a href="/~nabijaczleweli/ossp/2" title="~nabijaczleweli/ossp#2: (Ticket number 2 unused on CVSTrac)">#2</a>  0x000000080081d57f in cfg_buf_vformat (buf=0x801027040, fmt=0x80082aa85 "%s", ap=0x7fffffffd0f0)
    at cfg_buf.c:161
        rc = CFG_OK
        n = 1
<a href="/~nabijaczleweli/ossp/3" title="~nabijaczleweli/ossp#3: (Ticket number 3 unused on CVSTrac)">#3</a>  0x000000080081d4b6 in cfg_buf_format (buf=0x801027040, fmt=0x80082aa85 "%s") at cfg_buf.c:144
        ap = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7fffffffd1d0,
            reg_save_area = 0x7fffffffd110}}
        rc = CFG_OK
<a href="/~nabijaczleweli/ossp/4" title="~nabijaczleweli/ossp#4: [mm 1.2.1] mm 1.2.1 core dumps on Sparc/Solaris 8">#4</a>  0x000000080082515f in export_format (ctx=0x7fffffffd3f0, fmt=0x80082aa95 "\"") at cfg_syn.c:237
        i = 32767
        cp = 0x80102c106 "\""
        cp2 = 0x0
---Type <return> to continue, or q <return> to quit---
        ap = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fffffffd2f0,
            reg_save_area = 0x7fffffffd230}}
        str = 0x80102c106 "\""
<a href="/~nabijaczleweli/ossp/5" title="~nabijaczleweli/ossp#5: [mm 1.2.1] This module cause a problem with Apache and PHP4">#5</a>  0x00000008008252a6 in export_token (ctx=0x7fffffffd3f0,
    token=0x8010170a0 "==== Shell-style EOL comments ====") at cfg_syn.c:281
        cp = 0x8010170a4 " Shell-style EOL comments ===="
        out = 0x601340 ""
        plain = 0
        c = 0 '\000'
<a href="/~nabijaczleweli/ossp/6" title="~nabijaczleweli/ossp#6: [str 0.9.7] str_vformat with %.10s specifier can read invalid memory">#6</a>  0x00000008008255e2 in export_node (ctx=0x7fffffffd3f0, node=0x801018030) at cfg_syn.c:348
        type = CFG_NODE_TYPE_ARG
        node2 = 0x0
        rc = CFG_OK
        token = 0x8010170a0 "==== Shell-style EOL comments ===="
<a href="/~nabijaczleweli/ossp/7" title="~nabijaczleweli/ossp#7: [mm 1.2.1] Segmentation fault at mod_mm.c:186">#7</a>  0x000000080082550e in export_node (ctx=0x7fffffffd3f0, node=0x801018088) at cfg_syn.c:334
        type = CFG_NODE_TYPE_DIR
        node2 = 0x801018030
        rc = CFG_OK
        token = 0x206 <Address 0x206 out of bounds>
<a href="/~nabijaczleweli/ossp/8" title="~nabijaczleweli/ossp#8: [cfg 0.9.0] Build failed">#8</a>  0x00000008008256c1 in cfg_syn_export (cfg=0x801007400, node=0x801018088, output=0x7fffffffd468)
    at cfg_syn.c:383
        buf = 0x801027040
        rc = CFG_OK
        ctx = {cfg = 0x801007400, buf = 0x801027040, indent = 0}
        root = 0x801019268
<a href="/~nabijaczleweli/ossp/9" title="~nabijaczleweli/ossp#9: [sa 1.0.3] setsockopt(SO_RCVTIMEO/SO_SNDTIMEO) not working on Solaris 2.8">#9</a>  0x000000080081cf7e in cfg_export (cfg=0x801007400, node=0x801019268, fmt=CFG_FMT_CFG,
    ex_ptr=0x7fffffffd4b8, ex_len=0) at cfg_main.c:197
        rv = 32767
        output = 0x202 <Address 0x202 out of bounds>
        n = 34366144512
<a href="/~nabijaczleweli/ossp/10" title="~nabijaczleweli/ossp#10: (Ticket number 10 unused on CVSTrac)">#10</a> 0x0000000000400c04 in main (argc=2, argv=0x7fffffffd530) at cfg_test.c:86
---Type <return> to continue, or q <return> to quit---
        rc = CFG_OK
        im_ptr = 0x801053600 ""
        im_size = 2206
        im_used = 2205
        ex_ptr = 0x800b0a56a <atexit+42> "H\203\304(H\017\276\027\061\311H\301\372?f\017\037D"
        error = 0x7fffffffd530 "\030\330\377\377\377\177"
        cfg = 0x801007400
        vec = 0x7fffffffd510
        i = 0

~nabijaczleweli 4 months ago

#Final remarks as of 2012-11-03 02:12

2012-Nov-03 02:12:26 by anonymous:
I should mention that the test runs and passes on Linux and and Solaris.

Register here or Log in to comment, or comment via email.