93011 – Crash on failure to fully parse difile format

Bug 93011 - Crash on failure to fully parse difile format

Summary: Crash on failure to fully parse difile format

Status:	RESOLVED FIXED

Alias:	None

Product:	kst
Classification:	Applications
Component:	general (show other bugs)
Version:	1.x
Platform:	unspecified Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	George Staikos

URL:
Keywords:

Depends on:
Blocks:

Reported:	2004-11-10 02:37 UTC by Netterfield
Modified:	2004-12-06 06:26 UTC (History)
CC List:	0 users

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Netterfield 2004-11-10 02:37:25 UTC

Version:           1.0.0_pre1 (using KDE 3.3.1, Gentoo)
Compiler:          gcc version 3.3.4 20040623 (Gentoo Linux 3.3.4-r1, ssp-3.3.2-2, pie-8.7.6)
OS:                Linux (i686) release 2.6.8-gentoo-r3

attempt to load a dirfile with a syntax error late in the format file.

Sometimes kst will just not accept it (which is the correct behavior)

Sometimes kst will crash (which is bad)

Comment 1 George Staikos 2004-11-10 12:05:19 UTC

On Tuesday 09 November 2004 20:37, netterfield@astro.utoronto.ca wrote:
> attempt to load a dirfile with a syntax error late in the format file.
>
> Sometimes kst will just not accept it (which is the correct behavior)
>
> Sometimes kst will crash (which is bad)

  Do you have a testcase or a backtrace?

Comment 2 George Staikos 2004-12-06 06:04:20 UTC

==23623== Invalid read of size 1
==23623==    at 0x4002075A: strlen (mac_replace_strmem.c:164)
==23623==    by 0x418F48BD: _IO_vfprintf_internal (in /lib/libc.so.6)
==23623==    by 0x4190ECBB: _IO_vsprintf_internal (in /lib/libc.so.6)
==23623==    by 0x418FBC3A: __GI_sprintf (in /lib/libc.so.6)
==23623==    by 0x4D8D6C60: GetNFrames (getdata.c:1477)
==23623==    by 0x4D8D264D: understands_dirfile (dirfile.cpp:145)
==23623==    by 0x40315525: KST::Plugin::understands(KConfig*, QString const&)const (kstdatasource.cpp:97)
==23623==    Address 0x4A205B44 is 0 bytes inside a block of size 288 free'd
==23623==    at 0x40027E4D: free (vg_replace_malloc.c:231)
==23623==    by 0x4D8D2FF0: FreeF (getdata.c:93)
==23623==    by 0x4D8D3C92: GetFormat (getdata.c:358)
==23623==    by 0x4D8D6BBB: GetNFrames (getdata.c:1464)
==23623==    by 0x4D8D264D: understands_dirfile (dirfile.cpp:145)


(among many others)

Comment 3 George Staikos 2004-12-06 06:26:00 UTC

CVS commit by staikos: 

don't access invalid memory on an invalid format file
BUG: 93011


  M +4 -0      getdata.c   1.25


--- kdeextragear-2/kst/kst/datasources/dirfile/getdata.c  #1.24:1.25
@@ -314,4 +314,5 @@ struct FormatType *GetFormat(const char 
       *error_code = GD_E_FORMAT;
       FreeF(F);
+      Formats.n--;
       return(NULL);
     }
@@ -319,4 +320,5 @@ struct FormatType *GetFormat(const char 
       *error_code = GD_E_FIELD;
       FreeF(F);
+      Formats.n--;
       return(NULL);
     }
@@ -357,4 +359,5 @@ struct FormatType *GetFormat(const char 
     } else {
       FreeF(F);
+      Formats.n--;
       *error_code = GD_E_FORMAT;
       return(NULL);
@@ -362,4 +365,5 @@ struct FormatType *GetFormat(const char 
     if (*error_code!=GD_E_OK) {
       FreeF(F);
+      Formats.n--;
       return(NULL);
     }