Bug#663338: git-apply memory corruption

Sat, 10 Mar 2012 08:39:15 -0800 

Hi,

It turns out that it is memory corruption. From valgrind:

==30076== Invalid write of size 1
==30076==    at 0x402B788: memcpy (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30076==    by 0x408803: update_pre_post_images (apply.c:2036)
==30076==    by 0x40A6F7: check_patch (apply.c:2274)
==30076==    by 0x40B6E9: apply_patch (apply.c:3173)
==30076==    by 0x40E18A: cmd_apply (apply.c:3954)
==30076==    by 0x4057E3: handle_internal_command (git.c:308)
==30076==    by 0x404FA2: main (git.c:556)
==30076==  Address 0x5827c3d is 4 bytes after a block of size 265 alloc'd
==30076==    at 0x402994D: malloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30076==    by 0x4DFDE5: xmalloc (wrapper.c:35)
==30076==    by 0x40888B: update_pre_post_images (apply.c:2008)
==30076==    by 0x40A6F7: check_patch (apply.c:2274)
==30076==    by 0x40B6E9: apply_patch (apply.c:3173)
==30076==    by 0x40E18A: cmd_apply (apply.c:3954)
==30076==    by 0x4057E3: handle_internal_command (git.c:308)
==30076==    by 0x404FA2: main (git.c:556)
==30076== 
==30076== Invalid write of size 8
==30076==    at 0x402B7AD: memcpy (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30076==    by 0x408803: update_pre_post_images (apply.c:2036)
==30076==    by 0x40A6F7: check_patch (apply.c:2274)
==30076==    by 0x40B6E9: apply_patch (apply.c:3173)
==30076==    by 0x40E18A: cmd_apply (apply.c:3954)
==30076==    by 0x4057E3: handle_internal_command (git.c:308)
==30076==    by 0x404FA2: main (git.c:556)
==30076==  Address 0x5827c48 is 15 bytes after a block of size 265 alloc'd
==30076==    at 0x402994D: malloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30076==    by 0x4DFDE5: xmalloc (wrapper.c:35)
==30076==    by 0x40888B: update_pre_post_images (apply.c:2008)
==30076==    by 0x40A6F7: check_patch (apply.c:2274)
==30076==    by 0x40B6E9: apply_patch (apply.c:3173)
==30076==    by 0x40E18A: cmd_apply (apply.c:3954)
==30076==    by 0x4057E3: handle_internal_command (git.c:308)
==30076==    by 0x404FA2: main (git.c:556)
==30076== 

The call trace is not quite right. The problem comes from the call at
the end of match_fragement() (apply.c:2274) which says it's fine to do
the update in-place. There, the memory gets overwritten.

Making the newlines buffer in apply_one_fragment() double the size
makes this go away.

   cmn



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to