When attempting to evaluate libcfg for a project I'm starting, I ran the test on my FreeBSD 9 and OS X which dumped core. It looks like there's some incorrect usage of va_list
variables given that the va_arg()
call that initializes s
on line 908 of cfg_fmt.c
returns invalid memory. I put a va_copy()
at the top of cfg_fmt_format()
, making a copy of ap
, and changed cfg_fmt_format()
to operate on that copy. The test then passes. I'm not sure if this is the right solution, but at least the code runs and passes its test.
#Attached
backtrace.txt
on 2012-11-03 02:07:52(gdb) bt full #0 cfg_fmt_format (vbuff=0x7fffffffd020, fmt=0x80082aa86 "s", ap=0x7fffffffd0f0) at cfg_fmt.c:908 sp = 0x80102c108 "" bep = 0x80102c109 "" cc = 0 i = 0 s = 0x1 <Address 0x1 out of bounds> q = 0x1 <Address 0x1 out of bounds> s_len = 1 min_width = 0 precision = 0 adjust = RIGHT pad_char = 32 ' ' prefix_char = 0 '\000' fp_num = 1.6980165114969422e-313 i_quad = 0 ui_quad = 140737488344368 i_num = 0 ui_num = 2177008 num_buf = "\300\316\377\377\377\177\000\000\000\000\000\000\000\000\000\000\300\240a\000\b\000\000\000\000\316\377\377\377\177\000\000\340\316\377\377\377\177\000\000\000\000\000\000\000\000\000\000\340\316\377\377\377\177\000\000\067\205`\000\b\000\000\000\201\000\b\000\000\000$`\257\001\000\000\000\000\317\001\234\340\b", '\000' <repeats 11 times>, "\001\000\000\000\001\000\000\000\000\304a\000\b\000\000\000\b\255\201\000\b\000\000\000\320\317\377\377\377\177\000\000\200\316\377\377\377\177\000\000\000\304a\000\b\000\000\000@\317\377\377\377\177\000\000@\317\377\377\377\177\000\000\340\316\377\377\377\177\000\000\340\316\377\377\377\177\000\000\201\000\b\000\000\000]\207`\000\b\000\000\000\201\000\b\000\000\000$`\257\001\000\000\000\000\317\001\234\340\b", '\000' <repeats 11 times>, "\001\000\000\000\b\000\000\000\000\304a\000\b\000\000\000\b\255\201\000\b\000\000\000\320\317\377\377\377\177\000\000\200\316\377\377\377\177\000\000\000\304a\000\b\000\000\000\020\317\377\377\377\177\000\000@\317\377\377\377\177\000\000\240\316\377\377\377\177\000\000\357\212`\000\b\000\000\000\000\300"... char_buf = "\000" var_type = IS_INT ---Type <return> to continue, or q <return> to quit--- alternate_form = 0 print_sign = 0 print_blank = 0 adjust_precision = 0 adjust_width = 0 is_negative = 0 extinfo = "\000\000\000\000\b\000\000\000e\245K\t\000\000\000\000\b\255\201" <a href="/~nabijaczleweli/ossp/1" title="~nabijaczleweli/ossp#1: (Ticket number 1 unused on CVSTrac)">#1</a> 0x00000008008243be in cfg_fmt_vsprintf (s=0x80102c108 "", n=2, fmt=0x80082aa85 "%s", ap=0x7fffffffd0f0) at cfg_fmt.c:1141 handle = {curpos = 0x80102c108 "", endpos = 0x80102c109 "", flush = 0x8008242b0 <cfg_fmt_flush_real>, format = 0x0, data = {{i = -12288, l = 140737488343040, d = 6.9533558072278965e-310, vp = 0x7fffffffd000}, {i = 2, l = 2, d = 9.8813129168249309e-324, vp = 0x2}, {i = -12160, l = 140737488343168, d = 6.9533558072342205e-310, vp = 0x7fffffffd080}, {i = 8507650, l = 34368246018, d = 1.698016966531402e-313, vp = 0x80081d102 <cfg_buf_resize+130>}, {i = 0, l = 4294967296, d = 2.1219957909652723e-314, vp = 0x100000000}, {i = 16937024, l = 34376675392, d = 1.6984334329423367e-313, vp = 0x801027040}}} buf = "0\325\377\377\377\177", '\000' <repeats 13 times> rv = 1 <a href="/~nabijaczleweli/ossp/2" title="~nabijaczleweli/ossp#2: (Ticket number 2 unused on CVSTrac)">#2</a> 0x000000080081d57f in cfg_buf_vformat (buf=0x801027040, fmt=0x80082aa85 "%s", ap=0x7fffffffd0f0) at cfg_buf.c:161 rc = CFG_OK n = 1 <a href="/~nabijaczleweli/ossp/3" title="~nabijaczleweli/ossp#3: (Ticket number 3 unused on CVSTrac)">#3</a> 0x000000080081d4b6 in cfg_buf_format (buf=0x801027040, fmt=0x80082aa85 "%s") at cfg_buf.c:144 ap = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7fffffffd1d0, reg_save_area = 0x7fffffffd110}} rc = CFG_OK <a href="/~nabijaczleweli/ossp/4" title="~nabijaczleweli/ossp#4: [mm 1.2.1] mm 1.2.1 core dumps on Sparc/Solaris 8">#4</a> 0x000000080082515f in export_format (ctx=0x7fffffffd3f0, fmt=0x80082aa95 "\"") at cfg_syn.c:237 i = 32767 cp = 0x80102c106 "\"" cp2 = 0x0 ---Type <return> to continue, or q <return> to quit--- ap = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fffffffd2f0, reg_save_area = 0x7fffffffd230}} str = 0x80102c106 "\"" <a href="/~nabijaczleweli/ossp/5" title="~nabijaczleweli/ossp#5: [mm 1.2.1] This module cause a problem with Apache and PHP4">#5</a> 0x00000008008252a6 in export_token (ctx=0x7fffffffd3f0, token=0x8010170a0 "==== Shell-style EOL comments ====") at cfg_syn.c:281 cp = 0x8010170a4 " Shell-style EOL comments ====" out = 0x601340 "" plain = 0 c = 0 '\000' <a href="/~nabijaczleweli/ossp/6" title="~nabijaczleweli/ossp#6: [str 0.9.7] str_vformat with %.10s specifier can read invalid memory">#6</a> 0x00000008008255e2 in export_node (ctx=0x7fffffffd3f0, node=0x801018030) at cfg_syn.c:348 type = CFG_NODE_TYPE_ARG node2 = 0x0 rc = CFG_OK token = 0x8010170a0 "==== Shell-style EOL comments ====" <a href="/~nabijaczleweli/ossp/7" title="~nabijaczleweli/ossp#7: [mm 1.2.1] Segmentation fault at mod_mm.c:186">#7</a> 0x000000080082550e in export_node (ctx=0x7fffffffd3f0, node=0x801018088) at cfg_syn.c:334 type = CFG_NODE_TYPE_DIR node2 = 0x801018030 rc = CFG_OK token = 0x206 <Address 0x206 out of bounds> <a href="/~nabijaczleweli/ossp/8" title="~nabijaczleweli/ossp#8: [cfg 0.9.0] Build failed">#8</a> 0x00000008008256c1 in cfg_syn_export (cfg=0x801007400, node=0x801018088, output=0x7fffffffd468) at cfg_syn.c:383 buf = 0x801027040 rc = CFG_OK ctx = {cfg = 0x801007400, buf = 0x801027040, indent = 0} root = 0x801019268 <a href="/~nabijaczleweli/ossp/9" title="~nabijaczleweli/ossp#9: [sa 1.0.3] setsockopt(SO_RCVTIMEO/SO_SNDTIMEO) not working on Solaris 2.8">#9</a> 0x000000080081cf7e in cfg_export (cfg=0x801007400, node=0x801019268, fmt=CFG_FMT_CFG, ex_ptr=0x7fffffffd4b8, ex_len=0) at cfg_main.c:197 rv = 32767 output = 0x202 <Address 0x202 out of bounds> n = 34366144512 <a href="/~nabijaczleweli/ossp/10" title="~nabijaczleweli/ossp#10: (Ticket number 10 unused on CVSTrac)">#10</a> 0x0000000000400c04 in main (argc=2, argv=0x7fffffffd530) at cfg_test.c:86 ---Type <return> to continue, or q <return> to quit--- rc = CFG_OK im_ptr = 0x801053600 "" im_size = 2206 im_used = 2205 ex_ptr = 0x800b0a56a <atexit+42> "H\203\304(H\017\276\027\061\311H\301\372?f\017\037D" error = 0x7fffffffd530 "\030\330\377\377\377\177" cfg = 0x801007400 vec = 0x7fffffffd510 i = 0
#Final remarks as of 2012-11-03 02:12
2012-Nov-03 02:12:26 by anonymous:
I should mention that the test runs and passes on Linux and and Solaris.