Bug#691487: column: segfaults with a certain data and column -ets,

Paul Wise Thu, 03 Jan 2013 06:21:14 -0800

On Thu, 2013-01-03 at 14:05 +0100, Michael Meskes wrote:

> Like this?
> 
> michael@feivel:~$ export MALLOC_CHECK_=2
> michael@feivel:~$ export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
> michael@feivel:~$ column -ets, < foo > bar
> column: line too long


Correct.

> No segfault whatsoever.

Hmmmm.

> BTW the "line too long" message disappears if I add a final CR but no still no
> segfault. I also tried on a Wheezy i386 system without getting it to segfault.

If I add a final LF the message disappears but the segfault does not. If
I add a CR instead then neither disappears. I'm using amd64.

> What kernel do you run on? The original report talked about 3.5. I'm on our
> Wheezy 3.2 kernel. Maybe that makes a difference.

Currently using 3.7 from experimental. Just now I rebooted into 3.2 and
got the segfault too.

After recompiling bsdmainutils with noopt nostrip, I got a more info
from valgrind and gdb, maybe that helps debug this, see below.

BTW: I suggest that you should use these instead of what you have:

CFLAGS = $(shell dpkg-buildflags --get CFLAGS)
CFLAGS += $(shell dpkg-buildflags --get CPPFLAGS)
LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS)

pabs@chianamo ~ $ valgrind column -ets, < foo > bar
==29803== Memcheck, a memory error detector
==29803== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==29803== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==29803== Command: column -ets,
==29803== 
column: line too long
==29803== Invalid read of size 8
==29803==    at 0x401909: maketbl (column.c:314)
==29803==    by 0x40119C: main (column.c:155)
==29803==  Address 0x51be750 is 0 bytes after a block of size 0 alloc'd
==29803==    at 0x4C272B8: calloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29803==    by 0x4016D1: maketbl (column.c:299)
==29803==    by 0x40119C: main (column.c:155)
==29803== 
==29803== 
==29803== HEAP SUMMARY:
==29803==     in use at exit: 13,752 bytes in 95 blocks
==29803==   total heap usage: 126 allocs, 31 frees, 17,823 bytes allocated
==29803== 
==29803== LEAK SUMMARY:
==29803==    definitely lost: 1,020 bytes in 3 blocks
==29803==    indirectly lost: 828 bytes in 60 blocks
==29803==      possibly lost: 0 bytes in 0 blocks
==29803==    still reachable: 11,904 bytes in 32 blocks
==29803==         suppressed: 0 bytes in 0 blocks
==29803== Rerun with --leak-check=full to see details of leaked memory
==29803== 
==29803== For counts of detected and suppressed errors, rerun with: -v
==29803== ERROR SUMMARY: 7 errors from 1 contexts (suppressed: 4 from 4)
pabs@chianamo ~ $ column -ets, < foo > bar
column: line too long
Segmentation fault (core dumped)
pabs@chianamo ~ $ gdb --core 
/var/cache/corefiles/core-31490-1000-1000-11-1357222585-chianamo-column `which 
column`
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/column...done.
[New LWP 31490]

warning: Can't read pathname for load map: Input/output error.
Core was generated by `column -ets,'.
Program terminated with signal 11, Segmentation fault.
#0  __wcslen (s=0x78 <Address 0x78 out of bounds>) at wcslen.c:30
30      wcslen.c: No such file or directory.
(gdb) bt
#0  __wcslen (s=0x78 <Address 0x78 out of bounds>) at wcslen.c:30
#1  0x00007f002b4946fe in _IO_vfwprintf (s=0x7f002b7be7a0, format=0x401ec0 
L"%ls\n", ap=0x7fff68030fa0) at vfprintf.c:1623
#2  0x00007f002b4abefa in __wprintf (format=0x401ec8 L"s\n") at wprintf.c:34
#3  0x0000000000401941 in maketbl () at column.c:314
#4  0x000000000040119d in main (argc=0, argv=0x7fff68031238) at column.c:155
(gdb) thread apply all bt full

Thread 1 (LWP 31490):
#0  __wcslen (s=0x78 <Address 0x78 out of bounds>) at wcslen.c:30
        len = <optimized out>
#1  0x00007f002b4946fe in _IO_vfwprintf (s=0x7f002b7be7a0, format=0x401ec0 
L"%ls\n", ap=0x7fff68030fa0) at vfprintf.c:1623
        len = <optimized out>
        string_malloced = 1745030784
        step0_jumps = {0, -13820, -13738, -13656, -13565, -13484, -13387, 
-13143, -12171, -12911, -12833, -12279, -11658, -1750, -2980, 
          -1599, -1630, -1614, -10376, -9645, -1338, -11567, -7057, -2820, 
-2756, -1021, -7338, -1932, -1841, -13225}
        space = 0
        is_short = 0
        use_outdigits = 0
        step1_jumps = {0, 0, 0, 0, 0, 0, 0, 0, 0, -12911, -12833, -12279, 
-11658, -1750, -2980, -1599, -1630, -1614, -10376, -9645, -1338, 
          -11567, -7057, -2820, -2756, -1021, -7338, -1932, -1841, 0}
        group = 0
        prec = <optimized out>
        step2_jumps = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, -12833, -12279, -11658, 
-1750, -2980, -1599, -1630, -1614, -10376, -9645, -1338, 
          -11567, -7057, -2820, -2756, -1021, -7338, -1932, -1841, 0}
        string = <optimized out>
        left = 0
        is_long_double = 0
        width = <optimized out>
        step3a_jumps = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, -12371, 0, 0, 0, -2980, 
-1599, -1630, -1614, -10376, 0, 0, 0, 0, -2820, 0, 0, 0, 0, 
          0, 0}
        alt = 0
        showsign = 0
        is_long = 1
        is_char = 0
        pad = 32
        step3b_jumps = {0 <repeats 11 times>, -11658, 0, 0, -2980, -1599, 
-1630, -1614, -10376, -9645, -1338, -11567, -7057, -2820, -2756, 
          -1021, -7338, 0, 0, 0}
        step4_jumps = {0 <repeats 14 times>, -2980, -1599, -1630, -1614, 
-10376, -9645, -1338, -11567, -7057, -2820, -2756, -1021, -7338, 
          0, 0, 0}
        is_negative = <optimized out>
        base = 0
        the_arg = {pa_wchar = 1745031264 L'\x68031060', pa_int = 1745031264, 
pa_long_int = 140734938419296, 
          pa_long_long_int = 140734938419296, pa_u_int = 1745031264, 
pa_u_long_int = 140734938419296, 
          pa_u_long_long_int = 140734938419296, pa_double = 
6.9532298242557539e-310, pa_long_double = <invalid float value>, 
          pa_string = 0x7fff68031060 
"\001\001\001\001\001\001\001\001\310Q\236+", 
          pa_wstring = 0x7fff68031060 L"\x1010101\x1010101\x2b9e51c8缀\021", 
pa_pointer = 0x7fff68031060, pa_user = 0x7fff68031060}
        spec = 115 L's'
        _buffer = {__routine = 0x7f002b491930 <__funlockfile>, __arg = 
0x7f002b7be7a0, __canceltype = 1745030864, __prev = 0x7fff68030ed8}
        _avail = 0
        thousands_sep = 0 L'\000'
        grouping = 0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>
        done = 0
        f = 0x401ec8
        lead_str_end = 0x401ec0
        work_buffer = L'\000' <repeats 446 times>"\x2b7caa82, 缀", '\000' 
<repeats 18 times>"\x180000, 
\000\x17f9c4\000\x17f9c4\000\000\000\005\000\x380000\000\x385000\000\x384db8\000\x389858\000\x180000\000\003",
 '\000' <repeats 55 times>"\x2b9e24a0, 缀/\000\x2b7ced55缀\000\000\x2b9e2930缀 
\000\000\001\000\000\000\000\x68030930翿\x2b7ce9d9缀\x2b9e51c8缀\x2b9e24c0缀\x68030930翿\x2b7ca90c缀\000\000\000\000\000\000\x2b7d284d缀\000\000\x2b44fde3缀\000\000\x2b7cb842缀\x2b7bf000缀\x2b7c3858缀\x2b7bedb8缀\000\000\x680307d0翿\x2b9e24a0缀\x400720\000\x2b9e51a0缀\003\001\x680309d8\000\006\000\x389858\000︁\000\xe600a6\000\001\000臭\000\000\000\000\000\x185810\000က\000ర\000\x50e57cb7\000\x26c528f6\000\x50a96a33\000\000\000\x50e57cb7\000\x1651c9c5\000\000\000\000\000\000\000\000\000\x400720\000\x2b9e51c8缀\x2b9e4040缀\000\000\x2b9e5570缀\000\000\x2b7cb95a缀\000\000\x68030d18翿\000\000\000\000\000\000\x2b9db900缀\000\000\003\000\000\001\x1000000\000\n\000\000缀\x680309d0翿\x68030d20翿\000\000\x68030d2f翿\000\000\000\000̀\000\x464c457f𐄂\000\000\x3e0003\001\x1efc0\000@\000\x184f50\000\000\x380040\x40000a\x220023\006\005@\000@\000@\000Ȱ\000Ȱ\000\b\000\003\004\x155530\000\x155530\000\x155530\000\034\000\x2b7cd10a缀\020\000\001"...
        workstart = 0x0
        workend = <optimized out>
        ap_save = {{gp_offset = 8, fp_offset = 48, overflow_arg_area = 
0x7fff68031080, reg_save_area = 0x7fff68030fc0}}
        nspecs_done = <optimized out>
        save_errno = 22
        readonly_format = 0
        args_malloced = 0x0
        jump_table = 
"\001\000\000\004\000\016\000\006\000\000\a\002\000\003\t\000\005\b\b\b\b\b\b\b\b\b\000\000\000\000\000\000\000\032\000\031\000\023\023\023\000\035\000\000\f\000\000\000\000\000\000\025\000\000\000\000\022\000\r\000\000\000\000\000\000\032\000\024\017\023\023\023\n\017\034\000\v\030\027\021\026\f\000\025\033\020\000\000\022\000\r"
        __PRETTY_FUNCTION__ = "_IO_vfwprintf"
#2  0x00007f002b4abefa in __wprintf (format=0x401ec8 L"s\n") at wprintf.c:34
        arg = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 
0x7fff68031080, reg_save_area = 0x7fff68030fc0}}
        done = 1745030912
#3  0x0000000000401941 in maketbl () at column.c:314
        t = 0x1fc3328
        coloff = 0
        cnt = 3
        p = 0x0
        lp = 0x1fc0370
        lens = 0x1fc36a0
        maxcols = 25
        tbl = 0x1fc32e0
        cols = 0x1fc35c0
        last = 0x0
#4  0x000000000040119d in main (argc=0, argv=0x7fff68031238) at column.c:155
        win = {ws_row = 40008, ws_col = 11076, ws_xpixel = 32512, ws_ypixel = 0}
        fp = 0x0
        ch = -1
        tflag = 1
        xflag = 0
        p = 0x0
        src = 0x0
        newsep = 0x1fc0260 L","
        seplen = 1
(gdb) quit

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

signature.asc
Description: This is a digitally signed message part

Bug#691487: column: segfaults with a certain data and column -ets,

Reply via email to