[Rd] Bug in R 2.7 for over long lines (crasher+proposed fix!) (PR#11281)

Fri, 25 Apr 2008 23:30:16 -0700 

OK, I am just sending it here too as it looks like r-devel@r-project.org
is not the right place:

=EF=BB=BFOn Fri, 2008-04-25 at 08:48 +0200, Soeren Sonnenburg wrote:
> While trying to fix swig & R2.7 I actually discovered that there is a
> bug in R 2.7 causing a crash (so R & swig might actually work):
>=20
> the bug is in ./src/main/gram.c  line 3038:
>=20
>             } else { /* over-long line */
> fixthis --> char *LongLine =3D (char *) malloc(nc);
>             if(!LongLine)
>                 error(_("unable to allocate space for source line %
d"), xxlineno);
>             strncpy(LongLine, (char *)p0, nc);
>  bug -->    LongLine[nc] =3D '\0';
>             SET_STRING_ELT(source, lines++,
>                        mkChar2((char *)LongLine));
>             free(LongLine);
>=20
> note that LongLine is only nc chars long, so the LongLine[nc]=3D'\0'
might
> be an out of bounds write. the fix would be to do
>=20
> =EF=BB=BF            char *LongLine =3D (char *) malloc(nc+1);
>=20
> in line 3034
>=20
> Please fix and thanks to dirk for the debian r-base-dbg package!

Looking at the code again there seems to be another bug above this for
the MAXLINESIZE test too:

        if (*p =3D=3D '\n' || p =3D=3D end - 1) {
            nc =3D p - p0;
            if (*p !=3D '\n')
            nc++;
            if (nc <=3D MAXLINESIZE) {
            strncpy((char *)SourceLine, (char *)p0, nc);
bug2 -->    SourceLine[nc] =3D '\0';
            SET_STRING_ELT(source, lines++,
                       mkChar2((char *)SourceLine));
            } else { /* over-long line */
            char *LongLine =3D (char *) malloc(nc+1);
            if(!LongLine)
                error(_("unable to allocate space for source line %d"),
xxlineno);
bug1 -->    strncpy(LongLine, (char *)p0, nc);
            LongLine[nc] =3D '\0';
            SET_STRING_ELT(source, lines++,
                       mkChar2((char *)LongLine));
            free(LongLine);
            }
            p0 =3D p + 1;
        }


So I guess the test would be for nc < MAXLINESIZE above or to change
SourceLine to have MAXLINESIZE+1 size.

Alternatively as the strncpy manpage suggests do this for all
occurrences of strncpy

           strncpy(buf, str, n);
           if (n > 0)
               buf[n - 1]=3D =E2=80=99\0=E2=80=99;

this could even be made a makro / helper function ...

And another update: This does fix the R+swig crasher for me (tested)!

Soeren

______________________________________________
R-devel@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel

Reply via email to