[Rd] strsignif.c, util.c (PR#10635)

ripley at stats.ox.ac.uk ripley at stats.ox.ac.uk
Fri Jan 25 14:25:15 CET 2008


On Fri, 25 Jan 2008, A.R.Runnalls at kent.ac.uk wrote:

> In R 2.6.1, a couple of places (discovered using valgrind) where the
> requested size of string buffers fails to account correctly for the
> trailing null byte:
>
> 1. In src/appl/strsignif.c, 'f0' and 'form' at l. 108-9 each need at
> least 1 extra byte.
>
> 2. In src/main/util.c, 'out' at l. 1081 needs at least one extra byte.
>
> (Remember that the return value of strlen does not include the null byte.)

But it is subtler than that.  R_alloc contains the statement

 	s = allocVector(RAWSXP, size + 1);

and so does over-allocate by at least one (there is a rounding up to a 
multiple of 8).  This is a historical anomaly (it used to allocate a 
CHARSXP that allowed for the null byte), but one which trying to eliminate 
caused too many crashes in package code.

I'd like to see the empirical evidence you have, as I have been unable to 
trigger an overrun here.

-- 
Brian D. Ripley,                  ripley at stats.ox.ac.uk
Professor of Applied Statistics,  http://www.stats.ox.ac.uk/~ripley/
University of Oxford,             Tel:  +44 1865 272861 (self)
1 South Parks Road,                     +44 1865 272866 (PA)
Oxford OX1 3TG, UK                Fax:  +44 1865 272595



More information about the R-devel mailing list