p.dalgaard at biostat.ku.dk
2008-Apr-26 07:40 UTC
[Rd] Bug in R 2.7 for over long lines (crasher+proposed fix!) (PR#11284)
bugreports at nn7.de wrote:> OK, I am just sending it here too as it looks like r-devel at r-project.org > is not the right place: > =20I think it was seen there too, just that noone got around to reply. In=20 R-bugs, there's a filing system so that it won't be completely forgotten.=2E. However, your mail seems to have gotten encoded in quoted-printable, you might want to follow up with a cleaned version. (Just keep the =20 (PR#11281) in the header).> =3DEF=3DBB=3DBFOn Fri, 2008-04-25 at 08:48 +0200, Soeren Sonnenburg wrote: > =20 >> While trying to fix swig & R2.7 I actually discovered that there is a >> bug in R 2.7 causing a crash (so R & swig might actually work): >> =3D20 >> the bug is in ./src/main/gram.c line 3038: >> =3D20 >> } else { /* over-long line */ >> fixthis --> char *LongLine =3D3D (char *) malloc(nc); >> if(!LongLine) >> error(_("unable to allocate space for source line % >> =20 > d"), xxlineno); > =20 >> strncpy(LongLine, (char *)p0, nc); >> bug --> LongLine[nc] =3D3D '\0'; >> SET_STRING_ELT(source, lines++, >> mkChar2((char *)LongLine)); >> free(LongLine); >> =3D20 >> note that LongLine is only nc chars long, so the LongLine[nc]=3D3D'\0' >> =20 > might > =20 >> be an out of bounds write. the fix would be to do >> =3D20 >> =3DEF=3DBB=3DBF char *LongLine =3D3D (char *) malloc(nc+1); >> =3D20 >> in line 3034 >> =3D20 >> Please fix and thanks to dirk for the debian r-base-dbg package! >> =20 > > Looking at the code again there seems to be another bug above this for > the MAXLINESIZE test too: > > if (*p =3D3D=3D3D '\n' || p =3D3D=3D3D end - 1) { > nc =3D3D p - p0; > if (*p !=3D3D '\n') > nc++; > if (nc <=3D3D MAXLINESIZE) { > strncpy((char *)SourceLine, (char *)p0, nc); > bug2 --> SourceLine[nc] =3D3D '\0'; > SET_STRING_ELT(source, lines++, > mkChar2((char *)SourceLine)); > } else { /* over-long line */ > char *LongLine =3D3D (char *) malloc(nc+1); > if(!LongLine) > error(_("unable to allocate space for source line %d"), > xxlineno); > bug1 --> strncpy(LongLine, (char *)p0, nc); > LongLine[nc] =3D3D '\0'; > SET_STRING_ELT(source, lines++, > mkChar2((char *)LongLine)); > free(LongLine); > } > p0 =3D3D p + 1; > } > > > So I guess the test would be for nc < MAXLINESIZE above or to change > SourceLine to have MAXLINESIZE+1 size. > > Alternatively as the strncpy manpage suggests do this for all > occurrences of strncpy > > strncpy(buf, str, n); > if (n > 0) > buf[n - 1]=3D3D =3DE2=3D80=3D99\0=3DE2=3D80=3D99; > > this could even be made a makro / helper function ... > > And another update: This does fix the R+swig crasher for me (tested)! > > Soeren > > ______________________________________________ > R-devel at r-project.org mailing list > https://stat.ethz.ch/mailman/listinfo/r-devel > =20--=20 O__ ---- Peter Dalgaard =D8ster Farimagsgade 5, Entr.B c/ /'_ --- Dept. of Biostatistics PO Box 2099, 1014 Cph. K (*) \(*) -- University of Copenhagen Denmark Ph: (+45) 35327918 ~~~~~~~~~~ - (p.dalgaard at biostat.ku.dk) FAX: (+45) 35327907
Possibly Parallel Threads
- Bug in R 2.7 for over long lines (crasher+proposed fix!) (PR#11438)
- Bug in R 2.7 for over long lines (crasher+proposed fix!) (PR#11281)
- (PR#11281) Bug in R 2.7 for over long lines (crasher+proposed
- Bug in R 2.7 for over long lines
- compile error for mkString on alpha (PR#332)
Wisdom of the Ancients
