There's also an Ubuntu bug (there are no Ubuntu changes to the joe
package) about this:
https://bugs.launchpad.net/ubuntu/+source/joe/+bug/615320
Building from the source package I can only reproduce the bug if I use
the configure options --sysconfdir=/etc --prefix=/usr.
The backtrace is:
(gdb) bt
#0 0x00007ffff73c3a75 in *__GI_raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x00007ffff73c75c0 in *__GI_abort () at abort.c:92
#2 0x00007ffff73fd4fb in __libc_message (do_abort=<value optimized
out>, fmt=<value optimized out>) at
../sysdeps/unix/sysv/linux/libc_fatal.c:189
#3 0x00007ffff74075b6 in malloc_printerr (action=3,
str=0x7ffff74dac00 "free(): invalid next size (fast)", ptr=<value
optimized out>) at malloc.c:6264
#4 0x00007ffff740de53 in *__GI___libc_free (mem=<value optimized
out>) at malloc.c:3738
#5 0x000000000042f913 in utypebw_raw (bw=0x7475d0, k=45,
no_decode=<value optimized out>) at uedit.c:1845
#6 0x000000000040eeab in execmd (cmd=0x664ae0, k=45) at cmd.c:408
#7 0x0000000000411b83 in exsimple (m=0x6cb2a0, arg=<value optimized
out>, u=6) at macro.c:425
#8 0x0000000000412d48 in edloop (flg=0) at main.c:126
#9 0x000000000041360a in main (argc=<value optimized out>,
real_argv=0x44951a, envv=<value optimized out>) at main.c:535
Running the code under valgrind I get the following info:
==27663== Invalid write of size 1
==27663== at 0x435052: wrapword (uformat.c:368)
==27663== by 0x42F912: utypebw_raw (uedit.c:1845)
==27663== by 0x40EEAA: execmd (cmd.c:408)
==27663== by 0x411B82: exsimple (macro.c:425)
==27663== by 0x412D47: edloop (main.c:126)
==27663== by 0x413609: main (main.c:535)
==27663== Address 0x5b60818 is 0 bytes after a block of size 88 alloc'd
==27663== at 0x4C284A8: malloc (vg_replace_malloc.c:236)
==27663== by 0x440DF8: joe_malloc (utils.c:256)
==27663== by 0x4050AD: brs (b.c:2920)
==27663== by 0x434D70: wrapword (uformat.c:359)
==27663== by 0x42F912: utypebw_raw (uedit.c:1845)
==27663== by 0x40EEAA: execmd (cmd.c:408)
==27663== by 0x411B82: exsimple (macro.c:425)
==27663== by 0x412D47: edloop (main.c:126)
==27663== by 0x413609: main (main.c:535)
==27663==
==27663== Invalid read of size 1
==27663== at 0x4C296E4: __GI_strlen (mc_replace_strmem.c:284)
==27663== by 0x434DD7: wrapword (uformat.c:373)
==27663== by 0x42F912: utypebw_raw (uedit.c:1845)
==27663== by 0x40EEAA: execmd (cmd.c:408)
==27663== by 0x411B82: exsimple (macro.c:425)
==27663== by 0x412D47: edloop (main.c:126)
==27663== by 0x413609: main (main.c:535)
==27663== Address 0x5b60818 is 0 bytes after a block of size 88 alloc'd
==27663== at 0x4C284A8: malloc (vg_replace_malloc.c:236)
==27663== by 0x440DF8: joe_malloc (utils.c:256)
==27663== by 0x4050AD: brs (b.c:2920)
==27663== by 0x434D70: wrapword (uformat.c:359)
==27663== by 0x42F912: utypebw_raw (uedit.c:1845)
==27663== by 0x40EEAA: execmd (cmd.c:408)
==27663== by 0x411B82: exsimple (macro.c:425)
==27663== by 0x412D47: edloop (main.c:126)
==27663== by 0x413609: main (main.c:535)
I think the following code might do a write one byte after the end of
the allocated memory (uformat.c:366):
if (x) {
indents[x++] = ' ';
indents[x] = 0;
}
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
