Hi
cscope-15.9 (installed from homebrew) crashes on macOS (Monterey).
I then downloaded the source code to built it myself on macOS and
I could reproduce the crash. I then built cscope-15.9 with asan (address
sanitizer) and I see this:
```
=================================================================
==50182==ERROR: AddressSanitizer: global-buffer-overflow on address
0x00010474cc81 at pc 0x00010d195718 bp 0x00030d14ae90 sp
0x00030d14a610
READ of size 2 at 0x00010474cc81 thread T0
#0 0x10d195717 in printf_common(void*, char const*,
__va_list_tag*)+0x8e7
(libclang_rt.asan_osx_dynamic.dylib:x86_64+0x1f717)
#1 0x10d1958f7 in wrap_vsnprintf+0x97
(libclang_rt.asan_osx_dynamic.dylib:x86_64+0x1f8f7)
#2 0x10d19630d in wrap_snprintf+0x9d
(libclang_rt.asan_osx_dynamic.dylib:x86_64+0x2030d)
#3 0x104676eb6 in search display.c:476
#4 0x104662f9f in command command.c:522
#5 0x104693b07 in main main.c:888
#6 0x204a5e51d in start+0x1cd (dyld:x86_64+0x551d)
0x00010474cc81 is located 63 bytes to the left of global variable
'function' defined in 'find.c:1204:14' (0x10474ccc0) of size 251
0x00010474cc81 is located 0 bytes to the right of global variable
'found_caller' defined in 'find.c:1047:14' (0x10474cc80) of size 1
SUMMARY: AddressSanitizer: global-buffer-overflow
(libclang_rt.asan_osx_dynamic.dylib:x86_64+0x1f717) in
printf_common(void*, char const*, __va_list_tag*)+0x8e7
Shadow bytes around the buggy address:
0x1000208e9940: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9
0x1000208e9950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000208e9960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000208e9970: 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x1000208e9980: 00 00 04 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
=>0x1000208e9990:[01]f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x1000208e99a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000208e99b0: 00 00 00 00 00 00 00 03 f9 f9 f9 f9 00 f9 f9 f9
0x1000208e99c0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
0x1000208e99d0: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x1000208e99e0: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==50182==ABORTING
```
I can reproduce the crash at least with vim sources:
```
$ cd vim/src/testdir
$ cscope -bk -fcscope.out ../memfile_test.c
$ cscope -d
```
Then do:
```
Find functions called by this function: hash_mf_test
```
Type return and observe a crash.
In fact, I found this because Vim tests failed
when Vim is built with cscope support (as cscope
crashed on macOS):
```
$ cd vim/src/tests
$ make test_cscope
(observe that 2 tests fail)
```
I see that function `findcalledby(...)` in `cscope-15.9/src/find.c:1044`
returns a `char*` which contains a single character and it is not
'\0' terminated. This causes a crash later when outputting it in
`display.c:476` with `snprintf(..., "Egrep %s in this pattern:%s", ...`
The proposed patch fixes that issue in `find.c` by making sure
the returned `char*` is '\0' terminated.
However, cscope still did not work on macOS for another
reason whereas it worked on Linux. Debugging the difference,
I saw that BUFSIZ is 1024 on macOS and 8192 on Linux and
somehow this causes cscope to not work on macOS.
I don't understand why it causes it to break, but
replacing BUFSIZ (which is platform dependent)
with a '#define BUFFER_SIZE 8192' makes it work.
There may be another bug here lurking as I suppose
it should have worked even if the BUFSIZ was only 1024.
At least now I no longer see the asan error and vim
tests also pass with my proposed patch.
The proposed patch also fixes unrelated typos in
comments and in the cscope man pages.
Given that this fixes a crash, I hope a new cscope
release can be created soon.
I wanted to try with the latest code in CVS but
I was not able to download it from sourceforge.
Regards
Dominique
_______________________________________________
Cscope-devel mailing list
Cscope-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cscope-devel
