tech@mandoc.bsd.lv
 help / color / Atom feed
* malloc canary corruption
@ 2019-02-13  5:45 Anthony J. Bentley
  2019-03-19 16:38 ` Ingo Schwarze
  0 siblings, 1 reply; 2+ messages in thread
From: Anthony J. Bentley @ 2019-02-13  5:45 UTC (permalink / raw)
  To: tech

Hi,

I noticed rancid's par(1) caused mandoc to crash.

$ sysctl vm.malloc_conf
vm.malloc_conf=C
$ cat example # note the blank line
.P
.El
.El

$ mandoc example
mandoc(90888) in free(): chunk canary corrupted 0xb73c1ad12f0 0x1@0x1
Abort trap (core dumped)

-- 
Anthony J. Bentley
--
 To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: malloc canary corruption
  2019-02-13  5:45 malloc canary corruption Anthony J. Bentley
@ 2019-03-19 16:38 ` Ingo Schwarze
  0 siblings, 0 replies; 2+ messages in thread
From: Ingo Schwarze @ 2019-03-19 16:38 UTC (permalink / raw)
  To: Anthony J. Bentley; +Cc: tech

Hi Anthony,

Anthony J. Bentley wrote on Tue, Feb 12, 2019 at 10:45:16PM -0700:

> I noticed rancid's par(1) caused mandoc to crash.
> 
> $ sysctl vm.malloc_conf
> vm.malloc_conf=C
> $ cat example # note the blank line
> .P
> .El
> .El
> 
> $ mandoc example
> mandoc(90888) in free(): chunk canary corrupted 0xb73c1ad12f0 0x1@0x1
> Abort trap (core dumped)

Fixed with the commit below.

In case of an empty input line, control flow exits the inner while(i)
loop early, never reaching the ln.sz / resize_buf() check inside
the loop.  The simplest and most robust fix is to also do the ln.sz
check at the other place writing to the buffer, outside the inner
loop.

Thanks for reporting and sorry for the delay caused by overlooking
these two bug reports.

Yours,
  Ingo


Log Message:
-----------
When the last line of the input is empty and the previous line reduced
the line input buffer to a length of one byte, do not write one byte 
past the end of the line input buffer.  Minimal code to show the bug:
printf ".ds X\n.X\n\n" | MALLOC_OPTIONS=C mandoc
Bug found by bentley@ in the sysutils/rancid par(1) manual page.

Modified Files:
--------------
    mandoc:
        read.c

Revision Data
-------------
Index: read.c
===================================================================
RCS file: /home/cvs/mandoc/mandoc/read.c,v
retrieving revision 1.211
retrieving revision 1.212
diff -Lread.c -Lread.c -u -p -r1.211 -r1.212
--- read.c
+++ read.c
@@ -255,6 +255,8 @@ mparse_buf_r(struct mparse *curp, struct
 		/* XXX Ugly hack to mark the end of the input. */
 
 		if (i == blk.sz || blk.buf[i] == '\0') {
+			if (pos + 2 > ln.sz)
+				resize_buf(&ln, 256);
 			ln.buf[pos++] = '\n';
 			ln.buf[pos] = '\0';
 		}
--
 To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-13  5:45 malloc canary corruption Anthony J. Bentley
2019-03-19 16:38 ` Ingo Schwarze

tech@mandoc.bsd.lv

Archives are clonable: git clone --mirror http://inbox.vuxu.org/mandoc-tech

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.mandoc.tech


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git