Hello,
I tried to reproduce the crash.
It happens just after trying to execute something.
History handling uses an array of pointer to char.
Unfortunately it is stored in a pointer to a 32-bit integer.
Therefore pointer get truncated.
gcc is tries to warn about this:
bbrun.c: In function ‘readHistory’:
bbrun.c:202:19: warning: cast from pointer to integer of different size
[-Wpointer-to-int-cast]
*histTOC2 = (u32) item;
coredumpctl gdb
(gdb) bt
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x00007f0d9be2ed78 in _IO_vfprintf_internal (s=0x55586cdd4d20,
format=<optimized out>, ap=ap@entry=0x7ffca6fb9568) at vfprintf.c:1637
#2 0x00007f0d9be35157 in __fprintf (stream=<optimized out>, format=<optimized
out>) at fprintf.c:32
#3 0x000055586bcc0cdf in writeHistory () at bbrun.c:312
#4 0x000055586bcc0f36 in execDialogInformation () at bbrun.c:346
#5 0x000055586bcc1063 in callback (widget=<optimized out>, data=<optimized
out>) at bbrun.c:326
#6 0x00007f0d9c994f75 in g_closure_invoke () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
...
(gdb) frame 3
#3 0x000055586bcc0cdf in writeHistory () at bbrun.c:312
312 fprintf(fp, "%s\n", (char *) *histTOC2);
(gdb) print histTOC2
$1 = (u_int32_t *) 0x55586ccd7e50
(gdb) print/x *histTOC2
$3 = 0x6cdd4c10
Attached dpatch tries to use proper pointer types avoiding casts.
Kind regards,
Bernhard
#! /bin/sh /usr/share/dpatch/dpatch-run
##
## All lines beginning with `## DP:' are a description of the patch.
##
##From 62373247b1a4cc58d9066bb976bff8df96ae0a73 Mon Sep 17 00:00:00 2001
##From: =?UTF-8?q?Bernhard=20=C3=9Cbelacker?= <[email protected]>
##Date: Fri, 5 May 2017 23:01:38 +0200
##Subject: Use pointer type instead of 32bit integer to store history.
##
##https://bugs.debian.org/860443
##---
## bbrun/bbrun.c | 21 ++++++++++-----------
## 1 file changed, 10 insertions(+), 11 deletions(-)
@DPATCH@
diff --git a/bbrun/bbrun.c b/bbrun/bbrun.c
index 46bf6c3..a52026e 100644
--- a/bbrun/bbrun.c
+++ b/bbrun/bbrun.c
@@ -20,7 +20,6 @@
#define ADVANCED_WINDOW_ROWS 3
#define ADVANCED_WINDOW_COLS 10
-#define u32 u_int32_t
#define __DEBUG__ 0
#define VERSION "1.6"
@@ -38,8 +37,8 @@ char historyFilename[MAXPATHLEN + 1]; // The path to the
history file, +1 is
// TOC = Table Of Contents, it is a dynamically allocated array of pointers to
dynamically
// allocated history items.
-u32 *histTOC; // Always keep track of the beginning,
this one is NEVER incremented.
-u32 *histTOC2; // We increment this one for each item
+char* *histTOC; // Always keep track of the
beginning, this one is NEVER incremented.
+char* *histTOC2; // We increment this one for
each item
void parseArguments(int, char **);
void execDialogInformation();
@@ -170,7 +169,7 @@ void readHistory(void) {
char *item;
FILE *fp;
- histTOC = malloc(sizeof(u32) * 1);
+ histTOC = malloc(sizeof(*histTOC) * 1);
histTOC2 = histTOC;
if ((fp = fopen(historyFilename, "r")) == 0) {
@@ -192,14 +191,14 @@ void readHistory(void) {
if (buf != NULL) {
historyLength++;
- histTOC = realloc(histTOC, sizeof(u32) * historyLength);
+ histTOC = realloc(histTOC, sizeof(*histTOC) * historyLength);
histTOC2 = histTOC + historyLength - 1;
item = malloc(strlen(buf));
strncpy(item, buf, strlen(buf));
item[strlen(buf)- 1] = 0x0; // Remove the newline
char
- *histTOC2 = (u32) item;
+ *histTOC2 = item;
} else {
// [email protected], This is a NULL line, which should NEVER happen. Stop
any further processing,
// because chances are very good that the rest of the file is corrupt
too.
@@ -232,7 +231,7 @@ void updateHistory(char *newHistoryItem)
int duplicate = -1;
int historyIndex;
char *item;
- u32 *histTransit; // Before, we would copy the data around, now
we play around
+ char *histTransit; // Before, we would copy the data around, now
we play around
// with the pointers, which should be more
efficient.
if (__DEBUG__)
@@ -256,7 +255,7 @@ void updateHistory(char *newHistoryItem)
fprintf(stderr, " duplicate of item [%02d].\n", duplicate);
if (duplicate != (historyLength - 1)) { // If the duplicate entry is
not at the end
- histTransit = (u32 *) (histTOC + duplicate);
+ histTransit = *(histTOC + duplicate);
// Shift each entry forward
for (historyIndex = duplicate; historyIndex < historyLength - 1;
historyIndex++) {
@@ -266,7 +265,7 @@ void updateHistory(char *newHistoryItem)
// put duplicate at the end
histTOC2 = histTOC + historyLength - 1;
- *histTOC2 = (u32) histTransit;
+ *histTOC2 = histTransit;
}
} else {
// The command is NOT in the history already, so add it
@@ -276,14 +275,14 @@ void updateHistory(char *newHistoryItem)
historyLength++;
// Set the last item of the history to be the new command
- histTOC = realloc(histTOC, sizeof(u32) * historyLength);
+ histTOC = realloc(histTOC, sizeof(*histTOC) * historyLength);
histTOC2 = histTOC + historyLength - 1;
item = malloc(MAXCMDLEN + 1);
strncpy(item, newHistoryItem, MAXCMDLEN + 1);
item[strlen(item)] = 0x0;
- *histTOC2 = (u32) item;
+ *histTOC2 = item;
}
if (__DEBUG__) {
--
2.11.0
