From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp1.rz.uni-karlsruhe.de (Debian-exim@smtp1.rz.uni-karlsruhe.de [129.13.185.217])
	by krisdoz.my.domain (8.14.3/8.14.3) with ESMTP id oBBH2cLF012666
	for <tech@mdocml.bsd.lv>; Sat, 11 Dec 2010 12:02:39 -0500 (EST)
Received: from hekate.usta.de (asta-nat.asta.uni-karlsruhe.de [172.22.63.82])
	by smtp1.rz.uni-karlsruhe.de with esmtp (Exim 4.63 #1)
	id 1PRSqC-0006Qg-5I; Sat, 11 Dec 2010 18:02:36 +0100
Received: from donnerwolke.usta.de ([172.24.96.3])
	by hekate.usta.de with esmtp (Exim 4.72)
	(envelope-from <schwarze@usta.de>)
	id 1PRSqC-0002Tt-45
	for tech@mdocml.bsd.lv; Sat, 11 Dec 2010 18:02:36 +0100
Received: from iris.usta.de ([172.24.96.5] helo=usta.de)
	by donnerwolke.usta.de with esmtp (Exim 4.69)
	(envelope-from <schwarze@usta.de>)
	id 1PRSqC-0002LL-3B
	for tech@mdocml.bsd.lv; Sat, 11 Dec 2010 18:02:36 +0100
Received: from schwarze by usta.de with local (Exim 4.72)
	(envelope-from <schwarze@usta.de>)
	id 1PRSqC-0003FL-2S
	for tech@mdocml.bsd.lv; Sat, 11 Dec 2010 18:02:36 +0100
Date: Sat, 11 Dec 2010 18:02:36 +0100
From: Ingo Schwarze <schwarze@usta.de>
To: tech@mdocml.bsd.lv
Subject: Re: Remaining patches
Message-ID: <20101211170236.GF27691@iris.usta.de>
References: <4CF65D82.2090302@bsd.lv>
 <20101201145258.GA18473@iris.usta.de>
 <4CF662C5.8070806@bsd.lv>
 <20101202200205.GA12188@iris.usta.de>
 <4CF82337.2060203@bsd.lv>
 <20101202232111.GE12188@iris.usta.de>
 <4CFCE8A6.7000101@bsd.lv>
 <4CFCE997.6000700@bsd.lv>
 <20101206142051.GA6999@iris.usta.de>
 <4CFD0AE3.8050502@bsd.lv>
X-Mailinglist: mdocml-tech
Reply-To: tech@mdocml.bsd.lv
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4CFD0AE3.8050502@bsd.lv>
User-Agent: Mutt/1.5.21 (2010-09-15)

Hi Kristaps,

Kristaps Dzonsons wrote on Mon, Dec 06, 2010 at 05:10:11PM +0100:
> Ingo Schwarze wrote:

>> Regarding your recent commits, it is nice all this is going in.
>> I'll cross-check a bit more carefully when i'm out of office.
>> One thing looks dubious, though.
>>
>>   .de XX
>>   ..
>>
>> This should do the same as
>>
>>   .ds XX ""
>>
>> and *not* the same as
>>
>>   .rm XX
>>
>> Thus, i sepcifically changed that from NULL to "".
>> Otherwise, pages containing .IX throw lots of "unknown macro"
>> errors.
>>
>> In case this crashes on ALPHA, i suspect another bug somewhere...
>> Perhaps something related to integer sizes or alignment?

> Nope, valgrind pukes all over certain pages with this as well.
> Enclosed is an example offender and valgrind's output (in case it's
> useful).  The output, as you can see, stops at the first
> paranthesis.
> 
> I'll look into it some more later.

Here is what happens.

When parsing ".IX xyzzy", roff.c, roff_userdef() sets
  *bufp = "";
  *szp = 1;
  return(ROFF_APPEND);

Then main.c, parsebuf() has
  ln.buf = "";
  ln.sz  = 1;
  pos = 0;
  continue;

It appends the next line.
Hitting the \s at the beginning, it calls
  resize_buf(&ln, 256)

which does
  buf->sz = buf->sz ? 2 * buf->sz : initial;

i.e.
  buf->sz = 2*1 = 2;
  realloc(buf->buf, buf->sz);

and returning to parsebuf()
  ln.buf[pos++] = blk.buf[i++];
  ln.buf[pos++] = blk.buf[i++];

to copy the two characters of "\s".
That's one too much, boom.

So, let's fix resize_buf!

Can you verify with valgrind?
This analysis is purely from reading the code.
The OpenBSD build survives with the patch.

Yours,
  Ingo

> .TH FOO 1
> .ie \nF \{\
> .    de IX
> ..
> .\}
> .el \{\
> .    de IX
> ..
> .\}
> .IX Title "FOO 1"
> .SH "NAME"
> foo \- bar
> .SH DESCRIPTION
> .IX xyzzy
> (\s-1asdfasd\s0) fdsafdsa

> ==27147== Memcheck, a memory error detector
> ==27147== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
> ==27147== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
> ==27147== Command: ./mandoc -Owidth=68 foo.1
> ==27147== Parent PID: 11203
> ==27147== 
> ==27147== Invalid write of size 1
> ==27147==    at 0x40253C: parsebuf (main.c:733)
> ==27147==    by 0x402257: pdesc (main.c:626)
> ==27147==    by 0x401DEC: fdesc (main.c:487)
> ==27147==    by 0x40198F: ffile (main.c:340)
> ==27147==    by 0x401819: main (main.c:276)
> ==27147==  Address 0x518b2a2 is 0 bytes after a block of size 2 alloc'd
> ==27147==    at 0x4C245E2: realloc (vg_replace_malloc.c:525)
> ==27147==    by 0x401ACB: resize_buf (main.c:381)
> ==27147==    by 0x4024F9: parsebuf (main.c:730)
> ==27147==    by 0x402257: pdesc (main.c:626)
> ==27147==    by 0x401DEC: fdesc (main.c:487)
> ==27147==    by 0x40198F: ffile (main.c:340)
> ==27147==    by 0x401819: main (main.c:276)


Index: main.c
===================================================================
RCS file: /cvs/src/usr.bin/mandoc/main.c,v
retrieving revision 1.61
diff -u -p -r1.61 main.c
--- main.c	9 Dec 2010 23:01:18 -0000	1.61
+++ main.c	11 Dec 2010 17:01:40 -0000
@@ -375,7 +375,7 @@ static void
 resize_buf(struct buf *buf, size_t initial)
 {
 
-	buf->sz = buf->sz ? 2 * buf->sz : initial;
+	buf->sz = buf->sz >= initial ? 2 * buf->sz : initial;
 	buf->buf = realloc(buf->buf, buf->sz);
 	if (NULL == buf->buf) {
 		perror(NULL);
--
 To unsubscribe send an email to tech+unsubscribe@mdocml.bsd.lv