Bug#359081: rrdtool: crashes with malformed graph cdef command

Sun, 26 Mar 2006 06:28:05 -0800 

Subject: rrdtool: crashes with malformed graph cdef command
Package: rrdtool
Version: 1.2.11-0.5
Severity: normal
Tags: patch

Hello,

rrdtool crashes when processing a malformed graph cdef command:


[EMAIL PROTECTED]:~/recently$ /usr/bin/rrdtool create test.rrd --step 60 
DS:test:GAUGE:120:0:U RRA:AVERAGE:test
[EMAIL PROTECTED]:~/recently$ /usr/bin/rrdtool graph test.rrd \
CDEF:test2=UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU,test,5,+
Segmentation fault
[EMAIL PROTECTED]:~/recently$


The included patch should correct this issue.

// Ulf Harnhammar

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages rrdtool depends on:
ii  libart-2.0-2                  2.3.17-1   Library of functions for 2D graphi
ii  libc6                         2.3.6-3    GNU C Library: Shared libraries an
ii  libfreetype6                  2.1.10-1   FreeType 2 font engine, shared lib
ii  libpng12-0                    1.2.8rel-5 PNG library - runtime
ii  librrd2                       1.2.11-0.5 Time-series data storage and displ
ii  zlib1g                        1:1.2.3-11 compression library - runtime

rrdtool recommends no packages.

-- no debconf information


--- src/rrd_graph.h.old 2005-07-25 16:13:13.000000000 +0200
+++ src/rrd_graph.h     2006-03-26 15:28:30.000000000 +0200
@@ -7,6 +7,7 @@
 
 #define MAX_VNAME_LEN 255
 #define DEF_NAM_FMT "%255[-_A-Za-z0-9]"
+#define DEF_NAM_FMT2 "%29[-_A-Za-z0-9]"
 
 #define ALTYGRID        0x01   /* use alternative y grid algorithm */
 #define ALTAUTOSCALE    0x02   /* use alternative algorithm to find lower and 
upper bounds */
--- src/rrd_rpncalc.c.old       2005-07-25 16:13:13.000000000 +0200
+++ src/rrd_rpncalc.c   2006-03-26 15:29:23.000000000 +0200
@@ -279,7 +279,7 @@ rpn_parse(void *key_hash,char *expr,long
 
 
 #define match_op_param(VV,VVV) \
-        else if (sscanf(expr, #VVV "(" DEF_NAM_FMT ")",vname) == 1) { \
+        else if (sscanf(expr, #VVV "(" DEF_NAM_FMT2 ")",vname) == 1) { \
           int length = 0; \
           if ((length = strlen(#VVV)+strlen(vname)+2, \
               expr[length] == ',' || expr[length] == '\0') ) { \
@@ -339,7 +339,7 @@ rpn_parse(void *key_hash,char *expr,long
 #undef match_op
 
 
-            else if ((sscanf(expr, DEF_NAM_FMT "%n",
+            else if ((sscanf(expr, DEF_NAM_FMT2 "%n",
                              vname,&pos) == 1) 
                      && ((rpnp[steps].ptr = (*lookup)(key_hash,vname)) != -1)){
                 rpnp[steps].op = OP_VARIABLE;

Reply via email to