Package: modlogan
Version: 0.8.13-4
Severity: normal
Tags: patch
Under some circumstances modlogan crashes with this error message:
*** glibc detected *** realloc(): invalid next size: 0x0884f810 ***
A gdb backtrace shows that the problem is in the html_encode function:
#0 0xf7db8947 in raise () from /lib/tls/libc.so.6
#1 0xf7dba0c9 in abort () from /lib/tls/libc.so.6
#2 0xf7dee6ba in __fsetlocking () from /lib/tls/libc.so.6
#3 0xf7df7ec7 in valloc () from /lib/tls/libc.so.6
#4 0xf7df87d5 in realloc () from /lib/tls/libc.so.6
#5 0x0805f3cc in html_encode ()
#6 0xf7d52fd8 in get_menu_item () from
/usr/lib/modlogan/libmla_output_modlogan.so
#7 0xf7d5a6a3 in mplugins_output_modlogan_generate_monthly_output () from
/usr/lib/modlogan/libmla_output_modlogan.so
#8 0x0805bfba in generate_monthly_output ()
#9 0x0805d9c6 in main ()
This function is defined on line 485 of src/misc.c
The function replaces some latin-1 characters with their HTML entity
counterpart. After handling each character it checks if it has more than 4
bytes left in it's destination buffer, realloc()ing than buffer otherwise.
The problem is that each iteration might fill up to 7 bytes into the
destination buffer (in the case of a character with an umlaut). The attached
patch makes sure that at least 8 bytes of buffer is available before each
iteration.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'oldstable'), (500, 'unstable'), (500,
'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_DK.ISO-8859-15, LC_CTYPE=en_DK.ISO-8859-15 (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages modlogan depends on:
ii libadns1 1.4-2 Asynchronous-capable DNS client li
ii libbz2-1.0 1.0.5-3 high-quality block-sorting file co
ii libc6 2.9-25 GNU C Library: Shared libraries
ii libexpat1 2.0.1-4 XML parsing C library - runtime li
ii libgd2-xpm 2.0.36~rc1~dfsg-3 GD Graphics Library version 2
ii libpcre3 7.8-2 Perl 5 Compatible Regular Expressi
ii libpng12-0 1.2.39-1 PNG library - runtime
ii zlib1g 1:1.2.3.3.dfsg-15 compression library - runtime
modlogan recommends no packages.
modlogan suggests no packages.
-- no debconf information
diff -Nur modloganone.com-0.8.13-4/build-tree/modlogan/src/misc.c modloganone.com-0.8.13-4.new/build-tree/modlogan/src/misc.c
--- modloganone.com-0.8.13-4/build-tree/modlogan/src/misc.c 2004-03-18 03:31:50.000000000 +0100
+++ modloganone.com-0.8.13-4.new/build-tree/modlogan/src/misc.c 2009-09-17 12:46:05.726105139 +0200
@@ -490,7 +490,7 @@
if (!s) return NULL;
- q_len = strlen(s) * 2 + 1;
+ q_len = strlen(s) * 2 + 8;
q = malloc(q_len);
p = q;
@@ -535,7 +535,7 @@
*(++p) = '\0';
s++;
- if (strlen(q) > (q_len - 4)) {
+ if (strlen(q) > (q_len - 8)) {
q_len += 128;
q = realloc(q, q_len);
