rcs: uninitialized pointer leads to segfault

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

rcs: uninitialized pointer leads to segfault

Tobias Stoeckmann-5
Hi,

as jsg@ pointed out, rcs will segfault reliably when using malloc.conf with
'J' (the pointer in question is filled with d0's).

The pointer "rp_delta" is checked at the end of rcsparse_delta.  If it's
non-NULL, it will be included into a linked list; line 1181 of rcsparse.c.

This RCS file triggers the segfault, as supplied by jsg@:
----------
head 1.1;
access;
symbols
        OPENBSD_5_6_BASE:1.1;
locks; strict;
comment @# @;


@.1
date 95.12.18.15.18.15; author deraadt; state Exp;
branches:
n
----------

$ rlog foo,v
rlog: foo,v:9: no newline at end of file
Segmentation fault (core dumped)


Tobias

Index: usr.bin/cvs/rcsparse.c
===================================================================
RCS file: /cvs/src/usr.bin/cvs/rcsparse.c,v
retrieving revision 1.8
diff -u -p -u -p -r1.8 rcsparse.c
--- usr.bin/cvs/rcsparse.c 16 Nov 2014 19:14:34 -0000 1.8
+++ usr.bin/cvs/rcsparse.c 22 Nov 2014 10:32:32 -0000
@@ -228,6 +228,7 @@ rcsparse_init(RCSFILE *rfp)
  pdp->rp_buf = xmalloc(RCS_BUFSIZE);
  pdp->rp_blen = RCS_BUFSIZE;
  pdp->rp_bufend = pdp->rp_buf + pdp->rp_blen - 1;
+ pdp->rp_delta = NULL;
  pdp->rp_token = -1;
  pdp->rp_lineno = 1;
  pdp->rp_msglineno = 1;
Index: usr.bin/rcs/rcsparse.c
===================================================================
RCS file: /cvs/src/usr.bin/rcs/rcsparse.c,v
retrieving revision 1.11
diff -u -p -u -p -r1.11 rcsparse.c
--- usr.bin/rcs/rcsparse.c 16 Nov 2014 19:14:34 -0000 1.11
+++ usr.bin/rcs/rcsparse.c 22 Nov 2014 10:32:32 -0000
@@ -227,6 +227,7 @@ rcsparse_init(RCSFILE *rfp)
  pdp->rp_buf = xmalloc(RCS_BUFSIZE);
  pdp->rp_blen = RCS_BUFSIZE;
  pdp->rp_bufend = pdp->rp_buf + pdp->rp_blen - 1;
+ pdp->rp_delta = NULL;
  pdp->rp_token = -1;
  pdp->rp_lineno = 1;
  pdp->rp_msglineno = 1;

Reply | Threaded
Open this post in threaded view
|

Re: rcs: uninitialized pointer leads to segfault

Tobias Stoeckmann-5
On Sat, Nov 22, 2014 at 11:45:02AM +0100, Tobias Stoeckmann wrote:
> as jsg@ pointed out, rcs will segfault reliably when using malloc.conf with
> 'J' (the pointer in question is filled with d0's).

As Theo suggested, xcalloc will take care of this pointer and other
struct entries which are not initialized right at the start.


Index: usr.bin/cvs/rcsparse.c
===================================================================
RCS file: /cvs/src/usr.bin/cvs/rcsparse.c,v
retrieving revision 1.8
diff -u -p -r1.8 rcsparse.c
--- usr.bin/cvs/rcsparse.c 16 Nov 2014 19:14:34 -0000 1.8
+++ usr.bin/cvs/rcsparse.c 22 Nov 2014 15:36:47 -0000
@@ -224,7 +224,7 @@ rcsparse_init(RCSFILE *rfp)
  if (rfp->rf_flags & RCS_PARSED)
  return (0);
 
- pdp = xmalloc(sizeof(*pdp));
+ pdp = xcalloc(sizeof(*pdp));
  pdp->rp_buf = xmalloc(RCS_BUFSIZE);
  pdp->rp_blen = RCS_BUFSIZE;
  pdp->rp_bufend = pdp->rp_buf + pdp->rp_blen - 1;
Index: usr.bin/rcs/rcsparse.c
===================================================================
RCS file: /cvs/src/usr.bin/rcs/rcsparse.c,v
retrieving revision 1.11
diff -u -p -r1.11 rcsparse.c
--- usr.bin/rcs/rcsparse.c 16 Nov 2014 19:14:34 -0000 1.11
+++ usr.bin/rcs/rcsparse.c 22 Nov 2014 15:36:48 -0000
@@ -223,7 +223,7 @@ rcsparse_init(RCSFILE *rfp)
  if (rfp->rf_flags & RCS_PARSED)
  return (0);
 
- pdp = xmalloc(sizeof(*pdp));
+ pdp = xcalloc(sizeof(*pdp));
  pdp->rp_buf = xmalloc(RCS_BUFSIZE);
  pdp->rp_blen = RCS_BUFSIZE;
  pdp->rp_bufend = pdp->rp_buf + pdp->rp_blen - 1;

Reply | Threaded
Open this post in threaded view
|

Re: rcs: uninitialized pointer leads to segfault

Jonathan Gray-11
On Sat, Nov 22, 2014 at 04:38:10PM +0100, Tobias Stoeckmann wrote:
> On Sat, Nov 22, 2014 at 11:45:02AM +0100, Tobias Stoeckmann wrote:
> > as jsg@ pointed out, rcs will segfault reliably when using malloc.conf with
> > 'J' (the pointer in question is filled with d0's).
>
> As Theo suggested, xcalloc will take care of this pointer and other
> struct entries which are not initialized right at the start.

As that diff got committed and backed out here is one
with the missing arguments to xcalloc:

Index: rcs/rcsparse.c
===================================================================
RCS file: /cvs/src/usr.bin/rcs/rcsparse.c,v
retrieving revision 1.11
diff -u -p -r1.11 rcsparse.c
--- rcs/rcsparse.c 16 Nov 2014 19:14:34 -0000 1.11
+++ rcs/rcsparse.c 23 Nov 2014 03:25:02 -0000
@@ -223,7 +223,7 @@ rcsparse_init(RCSFILE *rfp)
  if (rfp->rf_flags & RCS_PARSED)
  return (0);
 
- pdp = xmalloc(sizeof(*pdp));
+ pdp = xcalloc(1, sizeof(*pdp));
  pdp->rp_buf = xmalloc(RCS_BUFSIZE);
  pdp->rp_blen = RCS_BUFSIZE;
  pdp->rp_bufend = pdp->rp_buf + pdp->rp_blen - 1;
Index: cvs/rcsparse.c
===================================================================
RCS file: /cvs/src/usr.bin/cvs/rcsparse.c,v
retrieving revision 1.8
diff -u -p -r1.8 rcsparse.c
--- cvs/rcsparse.c 16 Nov 2014 19:14:34 -0000 1.8
+++ cvs/rcsparse.c 23 Nov 2014 03:25:20 -0000
@@ -224,7 +224,7 @@ rcsparse_init(RCSFILE *rfp)
  if (rfp->rf_flags & RCS_PARSED)
  return (0);
 
- pdp = xmalloc(sizeof(*pdp));
+ pdp = xcalloc(1, sizeof(*pdp));
  pdp->rp_buf = xmalloc(RCS_BUFSIZE);
  pdp->rp_blen = RCS_BUFSIZE;
  pdp->rp_bufend = pdp->rp_buf + pdp->rp_blen - 1;

Reply | Threaded
Open this post in threaded view
|

Re: rcs: uninitialized pointer leads to segfault

Jonathan Gray-11
On Sun, Nov 23, 2014 at 02:30:27PM +1100, Jonathan Gray wrote:

> On Sat, Nov 22, 2014 at 04:38:10PM +0100, Tobias Stoeckmann wrote:
> > On Sat, Nov 22, 2014 at 11:45:02AM +0100, Tobias Stoeckmann wrote:
> > > as jsg@ pointed out, rcs will segfault reliably when using malloc.conf with
> > > 'J' (the pointer in question is filled with d0's).
> >
> > As Theo suggested, xcalloc will take care of this pointer and other
> > struct entries which are not initialized right at the start.
>
> As that diff got committed and backed out here is one
> with the missing arguments to xcalloc:

Ah it was fixed not backed out, nevermind.