From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 23372 invoked from network); 12 Mar 2022 11:31:37 -0000 Received: from 4ess.inri.net (216.126.196.42) by inbox.vuxu.org with ESMTPUTF8; 12 Mar 2022 11:31:37 -0000 Received: from duke.felloff.net ([216.126.196.34]) by 4ess; Sat Mar 12 06:24:05 -0500 2022 Message-ID: Date: Sat, 12 Mar 2022 12:23:56 +0100 From: cinap_lenrek@felloff.net To: 9front@9front.org In-Reply-To: <7AF3DDC08B1B97F5D456A1AEE44E9AD7@eigenstate.org> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: webscale browser CMS-scale SQL over HTML markup-aware method Subject: Re: [9front] werc memory over flow Reply-To: 9front@9front.org Precedence: bulk it doesnt matter so much. it is a memory corruption. > hdr 0a110c09 00002020 0020cabc 00206fa7 3e703c0a 69206548 the callerpc of the allocation being corrupted is 0x20cabc (this is amd64, not 386) acid: src(0x20cabc) /sys/src/cmd/awk/run.c:1898 1893 char *buf; 1894 void *p; 1895 int mflag, num; 1896 int bufsz = recsize; 1897 >1898 if ((buf = (char *)malloc(bufsz)) == nil) 1899 FATAL("out of memory in gsub"); 1900 mflag = 0; /* if mflag == 0, can replace empty string */ 1901 num = 0; 1902 x = execute(a[3]); /* target string */ 1903 c = t = getsval(x); which is in gsub() function. from the tail, we can see that it overwrote one single '\0' byte past the buffer. it would be much better to have a reproducer for this bug, not a stacktrace. we already have all the information. now i could stare at this code for a day or you give me a reproducer and then we can fix gsub() and make sure the bug is fixed. -- cinap