Date: Sat, 29 May 1999 20:56:52 +0200
From: Martin Schulze <joey@finlandia.Infodrom.North.DE>
To: submit@bugs.debian.org
Subject: Memory leak in pointerize (was: Problem #4)
Message-ID: <19990529205652.F28610@finlandia.infodrom.north.de>
Reply-To: Martin Schulze <joey@infodrom.north.de>
References: <19990529205007.J1146@finlandia.infodrom.north.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <19990529205007.J1146@finlandia.infodrom.north.de>; from Martin Schulze on Sat, May 29, 1999 at 08:50:07PM +0200

Package: pointerize
Version: 0.2

Hi Enrique,

I'm just trying to let the boot-floppies script for potato run and have
encountered this problem.

Martin Schulze wrote:
> This is not a good sign...
> 
> make[4]: Leaving directory `/usr/src/debian/work/boot-floppies/utilities/dbootstrap/po'
> cc -D_GNU_SOURCE  -DARCH=i386 -DARCHNAME='"i386"'  -DKVER='"2.2.7"'  -Wall -g -DINCLUDE_DBOOTSTRAP   -c baseconfig.c -o baseconfig.oecho "#line 1 \"bootconfig.c\"" >tmp.bootconfig.c
> pointerize -m C.mo <bootconfig.c >>tmp.bootconfig.c
> make[3]: *** [tmp.bootconfig.c] Error 139
> 
> kuolema!joey(ttyp1):/usr/src/debian/work/foo> ../pointerize-0.2/src/pointerize -m C.mo <bootconfig.c >>tmp.bootconfig.c
> Segmentation fault
> kuolema!joey(ttyp1):/usr/src/debian/work/foo> gdb ../pointerize-0.2/src/pointerize
> GNU gdb 4.17.19981224.m68k.objc.threads.hwwp.fpu.gnat
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i686-pc-linux-gnu"...
> (gdb) run -m C.mo <bootconfig.c >>tmp.bootconfig.c
> Starting program: /usr/src/debian/work/foo/../pointerize-0.2/src/pointerize -m C.mo <bootconfig.c >>tmp.bootconfig.c
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x4004f97f in free ()
> (gdb) where
> #0  0x4004f97f in free ()
> #1  0x4004f7f1 in free ()
> #2  0x804a454 in reset_buffer (freebuf=1) at pointerize.c:951
> #3  0x804a4a7 in fetchbuffer () at pointerize.c:961
> #4  0x8049dba in phase5_get (tp=0xbffff184) at pointerize.c:733
> #5  0x8049e7f in phase8_get (tp=0xbffff184) at pointerize.c:769
> #6  0x804a019 in my_lex (tp=0xbffff1a0) at pointerize.c:810
> #7  0x804a219 in scan_file () at pointerize.c:879
> #8  0x804a77d in main (argc=3, argv=0xbffff1d8) at pointerize.c:1055

'kay, I've found the problem:

  if (pubbuffer) {
          pubbuffer[pubbufpos]='\0';
          tmp=strdup(pubbuffer);
          reset_buffer(1);
          return tmp;
  }

Apparently sizeof(pubbuffer) is 100 as is pubbufpos which means
that the code will place '\0' at pos 101 which is not yet allocated.

diff -u -Nur --exclude CVS orig/pointerize-0.2/src/pointerize.c pointerize-0.2/src/pointerize.c
--- orig/pointerize-0.2/src/pointerize.c        Sun Mar  7 21:50:58 1999
+++ pointerize-0.2/src/pointerize.c     Sat May 29 20:49:44 1999
@@ -956,7 +956,8 @@
 static char *fetchbuffer(void) {
   char *tmp;
   if (pubbuffer) {
-         pubbuffer[pubbufpos]='\0';
+         --pubbufpos;
+         bufferget('\0');
          tmp=strdup(pubbuffer);
          reset_buffer(1);
          return tmp;

This looks ugly but it works.

However, there is another bug some lines above:

static void bufferget(int __c) {
  static int bufmax;

  if (pubbuffer == NULL)
  {
     bufmax = 0;
     pubbufpos = 0;
  }
  if (pubbufpos >= bufmax)
  {
     bufmax += 100;
     pubbuffer = xrealloc (pubbuffer, bufmax);
  }
  pubbuffer[pubbufpos++]=__c;
}

If there is no pubbuffer, pos 0 won't be written, but only pos 1.
I don't think this is intentional.

I'll leave it to Enrique to fix it, I haven't grok'ed the code yet.

Regards,

	Joey

-- 
Linux - the choice of a GNU generation

Please always Cc to me when replying to me on the lists.