[Rd] writeChar potential buffer overrun (PR#5090)
mjw at celos.net
mjw at celos.net
Fri Nov 14 20:35:06 MET 2003
Trying to copy the (binary) header of a input file directly
to an output file, I've had repeatable seg faults. The call:
writeChar(hdr, outfh, nchars=6144)
when hdr just contains one empty string seems to be the
culprit. The stack traces weren't all that illuminating,
with sig 11 in memory-related functions following this. But
in src/main/connections.c it looks like do_writechar doesn't
check the length of strings when given an explicit nchars
argument; so I think the strncpy() call will read too far.
[This happened because I didn't remember that R lets null
terminate strings; so I did a readChar(infh, nchars=6144)
through some nulls at the start of the header, and ended up
with a much shorter string than I was expecting. As far as
I can tell do_readchar still behaves in these circumstances,
and in any case I can produce the fault without it.]
Using readBin and writeBin with integer() and size=1 seems
to be the solution for header copying, but the faults still
seemed worth reporting.
I'm currently using R 1.8.0 on NetBSD/i386 1.6.1.
Mark <><
More information about the R-devel
mailing list