[Rd] Bug in R 2.7 for over long lines (crasher+proposed fix!) (PR#11284)
p.dalgaard at biostat.ku.dk
p.dalgaard at biostat.ku.dk
Sat Apr 26 09:40:10 CEST 2008
bugreports at nn7.de wrote:
> OK, I am just sending it here too as it looks like r-devel at r-project.or=
g
> is not the right place:
> =20
I think it was seen there too, just that noone got around to reply. In=20
R-bugs, there's a filing system so that it won't be completely forgotten.=
=2E.
However, your mail seems to have gotten encoded in quoted-printable, you =
might want to follow up with a cleaned version. (Just keep the =20
(PR#11281) in the header).
> =3DEF=3DBB=3DBFOn Fri, 2008-04-25 at 08:48 +0200, Soeren Sonnenburg wro=
te:
> =20
>> While trying to fix swig & R2.7 I actually discovered that there is a
>> bug in R 2.7 causing a crash (so R & swig might actually work):
>> =3D20
>> the bug is in ./src/main/gram.c line 3038:
>> =3D20
>> } else { /* over-long line */
>> fixthis --> char *LongLine =3D3D (char *) malloc(nc);
>> if(!LongLine)
>> error(_("unable to allocate space for source line %
>> =20
> d"), xxlineno);
> =20
>> strncpy(LongLine, (char *)p0, nc);
>> bug --> LongLine[nc] =3D3D '\0';
>> SET_STRING_ELT(source, lines++,
>> mkChar2((char *)LongLine));
>> free(LongLine);
>> =3D20
>> note that LongLine is only nc chars long, so the LongLine[nc]=3D3D'\0'=
>> =20
> might
> =20
>> be an out of bounds write. the fix would be to do
>> =3D20
>> =3DEF=3DBB=3DBF char *LongLine =3D3D (char *) malloc(nc+1);=
>> =3D20
>> in line 3034
>> =3D20
>> Please fix and thanks to dirk for the debian r-base-dbg package!
>> =20
>
> Looking at the code again there seems to be another bug above this for
> the MAXLINESIZE test too:
>
> if (*p =3D3D=3D3D '\n' || p =3D3D=3D3D end - 1) {
> nc =3D3D p - p0;
> if (*p !=3D3D '\n')
> nc++;
> if (nc <=3D3D MAXLINESIZE) {
> strncpy((char *)SourceLine, (char *)p0, nc);
> bug2 --> SourceLine[nc] =3D3D '\0';
> SET_STRING_ELT(source, lines++,
> mkChar2((char *)SourceLine));
> } else { /* over-long line */
> char *LongLine =3D3D (char *) malloc(nc+1);
> if(!LongLine)
> error(_("unable to allocate space for source line %d"),=
> xxlineno);
> bug1 --> strncpy(LongLine, (char *)p0, nc);
> LongLine[nc] =3D3D '\0';
> SET_STRING_ELT(source, lines++,
> mkChar2((char *)LongLine));
> free(LongLine);
> }
> p0 =3D3D p + 1;
> }
>
>
> So I guess the test would be for nc < MAXLINESIZE above or to change
> SourceLine to have MAXLINESIZE+1 size.
>
> Alternatively as the strncpy manpage suggests do this for all
> occurrences of strncpy
>
> strncpy(buf, str, n);
> if (n > 0)
> buf[n - 1]=3D3D =3DE2=3D80=3D99\0=3DE2=3D80=3D99;
>
> this could even be made a makro / helper function ...
>
> And another update: This does fix the R+swig crasher for me (tested)!
>
> Soeren
>
> ______________________________________________
> R-devel at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
> =20
--=20
O__ ---- Peter Dalgaard =D8ster Farimagsgade 5, Entr.B
c/ /'_ --- Dept. of Biostatistics PO Box 2099, 1014 Cph. K
(*) \(*) -- University of Copenhagen Denmark Ph: (+45) 35327918
~~~~~~~~~~ - (p.dalgaard at biostat.ku.dk) FAX: (+45) 35327907
More information about the R-devel
mailing list