Bug#593558: libffi-dev: ffi_call segfault: read beyond the heap, allocated for return value

Mon, 23 Aug 2010 12:09:27 -0700 

tag 593558 + moreinfo
thanks

On 19.08.2010 10:48, Ygrex wrote:

Package: libffi-dev
Version: 3.0.9-2
Severity: important

The test C-code is attached:
gcc-4.4 -lffi -lunistring -o test test.c

It can be compiled without libunistring as well (see notes, please):
1. comment out rows #7 and #8
2. uncomment #9
3. gcc-4.4 -lffi -o test test.c

What the code does:
1. creates a new ffi_type to emulate size_t;
2. allocates array of types of function arguments: (char *) and (size_t);
3. prepare CIF to call the size_t function with two arguments;
4. allocates array of pointers to two arguments: char *b and size_t a;
5. runs ffi_call and segfaults;


unable to reproduce on i386 unstable (without the library):

$ valgrind --track-origins=yes -q ./a.out
just before...
==13621== Conditional jump or move depends on uninitialised value(s)
==13621==    at 0x48DC040: strnlen (mc_replace_strmem.c:263)
==13621==    by 0x48FB54E: ffi_call_SYSV (in /usr/lib/libffi.so.5.0.10)
==13621==    by 0x48FB38D: ffi_call (in /usr/lib/libffi.so.5.0.10)
==13621==    by 0x80488FC: main (test.c:71)
==13621==  Uninitialised value was created by a heap allocation
==13621==    at 0x48DAF50: malloc (vg_replace_malloc.c:236)
==13621==    by 0x8048842: main (test.c:55)
==13621==
right after!
==13621== Use of uninitialised value of size 4
==13621==    at 0x49390FE: _itoa_word (_itoa.c:195)
==13621==    by 0x493C8EF: vfprintf (vfprintf.c:1613)
==13621==    by 0x4943FAF: printf (printf.c:35)
==13621==    by 0x804891F: main (test.c:80)
==13621==  Uninitialised value was created by a heap allocation
==13621==    at 0x48DAF50: malloc (vg_replace_malloc.c:236)
==13621==    by 0x8048842: main (test.c:55)
==13621==
==13621== Conditional jump or move depends on uninitialised value(s)
==13621==    at 0x4939106: _itoa_word (_itoa.c:195)
==13621==    by 0x493C8EF: vfprintf (vfprintf.c:1613)
==13621==    by 0x4943FAF: printf (printf.c:35)
==13621==    by 0x804891F: main (test.c:80)
==13621==  Uninitialised value was created by a heap allocation
==13621==    at 0x48DAF50: malloc (vg_replace_malloc.c:236)
==13621==    by 0x8048842: main (test.c:55)
==13621==
ret value: 0




--
To UNSUBSCRIBE, email to debian-gcc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4c72c3c1.10...@debian.org

Reply via email to