From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from scc-mailout-kit-02.scc.kit.edu (scc-mailout-kit-02.scc.kit.edu [129.13.231.82]) by fantadrom.bsd.lv (OpenSMTPD) with ESMTP id 078096a7 for ; Tue, 19 Mar 2019 11:38:27 -0500 (EST) Received: from asta-nat.asta.uni-karlsruhe.de ([172.22.63.82] helo=hekate.usta.de) by scc-mailout-kit-02.scc.kit.edu with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (envelope-from ) id 1h6Hkv-0003tM-0E; Tue, 19 Mar 2019 17:38:26 +0100 Received: from donnerwolke.usta.de ([172.24.96.3]) by hekate.usta.de with esmtp (Exim 4.77) (envelope-from ) id 1h6Hkt-0003e2-TS; Tue, 19 Mar 2019 17:38:23 +0100 Received: from athene.usta.de ([172.24.96.10]) by donnerwolke.usta.de with esmtp (Exim 4.84_2) (envelope-from ) id 1h6Hkt-000066-PY; Tue, 19 Mar 2019 17:38:23 +0100 Received: from localhost (athene.usta.de [local]) by athene.usta.de (OpenSMTPD) with ESMTPA id 7162a01f; Tue, 19 Mar 2019 17:38:23 +0100 (CET) Date: Tue, 19 Mar 2019 17:38:23 +0100 From: Ingo Schwarze To: "Anthony J. Bentley" Cc: tech@mandoc.bsd.lv Subject: Re: malloc canary corruption Message-ID: <20190319163823.GC61541@athene.usta.de> References: <47544.1550036716@desktop.ajb.soy> X-Mailinglist: mandoc-tech Reply-To: tech@mandoc.bsd.lv MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <47544.1550036716@desktop.ajb.soy> User-Agent: Mutt/1.8.0 (2017-02-23) Hi Anthony, Anthony J. Bentley wrote on Tue, Feb 12, 2019 at 10:45:16PM -0700: > I noticed rancid's par(1) caused mandoc to crash. > > $ sysctl vm.malloc_conf > vm.malloc_conf=C > $ cat example # note the blank line > .P > .El > .El > > $ mandoc example > mandoc(90888) in free(): chunk canary corrupted 0xb73c1ad12f0 0x1@0x1 > Abort trap (core dumped) Fixed with the commit below. In case of an empty input line, control flow exits the inner while(i) loop early, never reaching the ln.sz / resize_buf() check inside the loop. The simplest and most robust fix is to also do the ln.sz check at the other place writing to the buffer, outside the inner loop. Thanks for reporting and sorry for the delay caused by overlooking these two bug reports. Yours, Ingo Log Message: ----------- When the last line of the input is empty and the previous line reduced the line input buffer to a length of one byte, do not write one byte past the end of the line input buffer. Minimal code to show the bug: printf ".ds X\n.X\n\n" | MALLOC_OPTIONS=C mandoc Bug found by bentley@ in the sysutils/rancid par(1) manual page. Modified Files: -------------- mandoc: read.c Revision Data ------------- Index: read.c =================================================================== RCS file: /home/cvs/mandoc/mandoc/read.c,v retrieving revision 1.211 retrieving revision 1.212 diff -Lread.c -Lread.c -u -p -r1.211 -r1.212 --- read.c +++ read.c @@ -255,6 +255,8 @@ mparse_buf_r(struct mparse *curp, struct /* XXX Ugly hack to mark the end of the input. */ if (i == blk.sz || blk.buf[i] == '\0') { + if (pos + 2 > ln.sz) + resize_buf(&ln, 256); ln.buf[pos++] = '\n'; ln.buf[pos] = '\0'; } -- To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv