help / color / mirror / Atom feed
From: Ingo Schwarze <>
To: "Anthony J. Bentley" <>
Subject: Re: malloc canary corruption
Date: Tue, 19 Mar 2019 17:38:23 +0100	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

Hi Anthony,

Anthony J. Bentley wrote on Tue, Feb 12, 2019 at 10:45:16PM -0700:

> I noticed rancid's par(1) caused mandoc to crash.
> $ sysctl vm.malloc_conf
> vm.malloc_conf=C
> $ cat example # note the blank line
> .P
> .El
> .El
> $ mandoc example
> mandoc(90888) in free(): chunk canary corrupted 0xb73c1ad12f0 0x1@0x1
> Abort trap (core dumped)

Fixed with the commit below.

In case of an empty input line, control flow exits the inner while(i)
loop early, never reaching the / resize_buf() check inside
the loop.  The simplest and most robust fix is to also do the
check at the other place writing to the buffer, outside the inner

Thanks for reporting and sorry for the delay caused by overlooking
these two bug reports.


Log Message:
When the last line of the input is empty and the previous line reduced
the line input buffer to a length of one byte, do not write one byte 
past the end of the line input buffer.  Minimal code to show the bug:
printf ".ds X\n.X\n\n" | MALLOC_OPTIONS=C mandoc
Bug found by bentley@ in the sysutils/rancid par(1) manual page.

Modified Files:

Revision Data
Index: read.c
RCS file: /home/cvs/mandoc/mandoc/read.c,v
retrieving revision 1.211
retrieving revision 1.212
diff -Lread.c -Lread.c -u -p -r1.211 -r1.212
--- read.c
+++ read.c
@@ -255,6 +255,8 @@ mparse_buf_r(struct mparse *curp, struct
 		/* XXX Ugly hack to mark the end of the input. */
 		if (i == || blk.buf[i] == '\0') {
+			if (pos + 2 >
+				resize_buf(&ln, 256);
 			ln.buf[pos++] = '\n';
 			ln.buf[pos] = '\0';
 To unsubscribe send an email to

      reply	other threads:[~2019-03-19 16:38 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-13  5:45 Anthony J. Bentley
2019-03-19 16:38 ` Ingo Schwarze [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \
    --subject='Re: malloc canary corruption' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).