Bug 93011

Summary: Crash on failure to fully parse difile format
Product: [Applications] kst Reporter: Netterfield <netterfield>
Component: generalAssignee: George Staikos <staikos>
Status: RESOLVED FIXED    
Severity: crash    
Priority: NOR    
Version: 1.x   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Netterfield 2004-11-10 02:37:25 UTC 
Version:           1.0.0_pre1 (using KDE 3.3.1, Gentoo)
Compiler:          gcc version 3.3.4 20040623 (Gentoo Linux 3.3.4-r1, ssp-3.3.2-2, pie-8.7.6)
OS:                Linux (i686) release 2.6.8-gentoo-r3

attempt to load a dirfile with a syntax error late in the format file.

Sometimes kst will just not accept it (which is the correct behavior)

Sometimes kst will crash (which is bad)
Comment 1 George Staikos 2004-11-10 12:05:19 UTC 
On Tuesday 09 November 2004 20:37, netterfield@astro.utoronto.ca wrote:
> attempt to load a dirfile with a syntax error late in the format file.
>
> Sometimes kst will just not accept it (which is the correct behavior)
>
> Sometimes kst will crash (which is bad)

  Do you have a testcase or a backtrace?
Comment 2 George Staikos 2004-12-06 06:04:20 UTC 
==23623== Invalid read of size 1
==23623==    at 0x4002075A: strlen (mac_replace_strmem.c:164)
==23623==    by 0x418F48BD: _IO_vfprintf_internal (in /lib/libc.so.6)
==23623==    by 0x4190ECBB: _IO_vsprintf_internal (in /lib/libc.so.6)
==23623==    by 0x418FBC3A: __GI_sprintf (in /lib/libc.so.6)
==23623==    by 0x4D8D6C60: GetNFrames (getdata.c:1477)
==23623==    by 0x4D8D264D: understands_dirfile (dirfile.cpp:145)
==23623==    by 0x40315525: KST::Plugin::understands(KConfig*, QString const&)const (kstdatasource.cpp:97)
==23623==    Address 0x4A205B44 is 0 bytes inside a block of size 288 free'd
==23623==    at 0x40027E4D: free (vg_replace_malloc.c:231)
==23623==    by 0x4D8D2FF0: FreeF (getdata.c:93)
==23623==    by 0x4D8D3C92: GetFormat (getdata.c:358)
==23623==    by 0x4D8D6BBB: GetNFrames (getdata.c:1464)
==23623==    by 0x4D8D264D: understands_dirfile (dirfile.cpp:145)


(among many others)
Comment 3 George Staikos 2004-12-06 06:26:00 UTC 
CVS commit by staikos: 

don't access invalid memory on an invalid format file
BUG: 93011


  M +4 -0      getdata.c   1.25


--- kdeextragear-2/kst/kst/datasources/dirfile/getdata.c  #1.24:1.25
@@ -314,4 +314,5 @@ struct FormatType *GetFormat(const char 
       *error_code = GD_E_FORMAT;
       FreeF(F);
+      Formats.n--;
       return(NULL);
     }
@@ -319,4 +320,5 @@ struct FormatType *GetFormat(const char 
       *error_code = GD_E_FIELD;
       FreeF(F);
+      Formats.n--;
       return(NULL);
     }
@@ -357,4 +359,5 @@ struct FormatType *GetFormat(const char 
     } else {
       FreeF(F);
+      Formats.n--;
       *error_code = GD_E_FORMAT;
       return(NULL);
@@ -362,4 +365,5 @@ struct FormatType *GetFormat(const char 
     if (*error_code!=GD_E_OK) {
       FreeF(F);
+      Formats.n--;
       return(NULL);
     }