[bug #48433] lkbib with empty file dumps core

Thu, 07 Jul 2016 00:03:07 -0700 

URL:
  <http://savannah.gnu.org/bugs/?48433>

                 Summary: lkbib with empty file dumps core
                 Project: GNU troff
            Submitted by: sayama
            Submitted on: Thu 07 Jul 2016 07:02:31 AM GMT
                Severity: 3 - Normal
              Item Group: Crash
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None

    _______________________________________________________

Details:

In Solaris, I got the bug report that lkbib dumps core with the following
operation.
---
% touch ./a.i
% LD_PRELOAD=libumem.so.1 UMEM_OPTIONS=backend=mmap \
UMEM_DEBUG=default,firewall=1 /usr/bin/lkbib -p ./a
Segmentation Fault (core dumped)
% pstack core
core 'core' of 1509:    /usr/bin/lkbib -p ./a
 00000000004094fa __1cRindex_search_itemEload6Mi_i_ () + 10a
 0000000000409ad0 __1cWmake_index_search_item6Fpkci_pnLsearch_item__ () + e0
 000000000040ea47 __1cLsearch_listIadd_file6Mpkci_v_ () + 27
 0000000000408614 main () + f4
 00000000004083a4 ???????? ()
---

Then it looks that this core dump occurs at the following point.
---
src/libs/libbib/index.cpp
;
int index_search_item::load(int fd)
:
  mtime = sb.st_mtime;
  int size = int(sb.st_size);                           <= size is 0
:
  map_addr = mapread(fd, size);
:
  else {
    addr = buffer = (char *)malloc(size);               <= malloc(0)
:
  header = *(index_header *)addr;                       <= Segv
---

>From the specification of malloc() in the standard (ex, C11),
---
I can see C11 draft version from
   http://open-std.org/JTC1/SC22/WG14/www/docs/n1548.pdf
p 347 7.22.3 Memory management functions
--
If the size of the space requested is zero, the behavior is
implementation-defined: either a null pointer is returned, or the behavior
is as if the size were some nonzero value, except that the returned pointer
shall not be used to access an object.
---
There is the possibility that it returns pointer shall not be used to access
an object on some platform. So I think it's nice to check the size of file
to avoid core dump.
---
--- groff-1.22.3/src/libs/libbib/index.cpp.org  2014-11-04 17:38:35.183524522
+0900
+++ groff-1.22.3/src/libs/libbib/index.cpp      2016-07-07 09:41:11.572149218
+0900
@@ -158,6 +158,10 @@
   }
   mtime = sb.st_mtime;
   int size = int(sb.st_size);
+  if (size == 0) {
+    error("`%1' is an empty file", name);
+    return 0;
+  }
   char *addr;
   map_addr = mapread(fd, size);
   if (map_addr) {
---





    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?48433>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/


_______________________________________________
bug-groff mailing list
bug-groff@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-groff

Reply via email to