[Rd] writeChar potential buffer overrun (PR#5090)

mjw at celos.net mjw at celos.net
Fri Nov 14 20:35:06 MET 2003

Trying to copy the (binary) header of a input file directly
to an output file, I've had repeatable seg faults.  The call:

  writeChar(hdr, outfh, nchars=6144)

when hdr just contains one empty string seems to be the
culprit.  The stack traces weren't all that illuminating,
with sig 11 in memory-related functions following this.  But
in src/main/connections.c it looks like do_writechar doesn't
check the length of strings when given an explicit nchars
argument; so I think the strncpy() call will read too far.

[This happened because I didn't remember that R lets null
terminate strings; so I did a readChar(infh, nchars=6144)
through some nulls at the start of the header, and ended up
with a much shorter string than I was expecting.  As far as
I can tell do_readchar still behaves in these circumstances,
and in any case I can produce the fault without it.]

Using readBin and writeBin with integer() and size=1 seems
to be the solution for header copying, but the faults still
seemed worth reporting.

I'm currently using R 1.8.0 on NetBSD/i386 1.6.1.

Mark <><

More information about the R-devel mailing list